Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
C5Zr4LSzmp.exe

Overview

General Information

Sample name:C5Zr4LSzmp.exe
renamed because original name is a hash value
Original sample name:e14cf1238643d04a93157a0416329f7f8b08a9ceff996b870be593df328d6953.exe
Analysis ID:1588242
MD5:1cd6afe88ba532ca70c927d90314eac8
SHA1:3e5c107a20bad54a81ec0cb7e18e4dddcfca003b
SHA256:e14cf1238643d04a93157a0416329f7f8b08a9ceff996b870be593df328d6953
Tags:exeRedLineStealeruser-adrian__luca
Infos:

Detection

RedLine
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected RedLine Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Yara signature match

Classification

Process Tree

  • System is w10x64
  • C5Zr4LSzmp.exe (PID: 8180 cmdline: "C:\Users\user\Desktop\C5Zr4LSzmp.exe" MD5: 1CD6AFE88BA532CA70C927D90314EAC8)
    • C5Zr4LSzmp.exe (PID: 5848 cmdline: "C:\Users\user\Desktop\C5Zr4LSzmp.exe" MD5: 1CD6AFE88BA532CA70C927D90314EAC8)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": ["87.120.120.86:1912"], "Bot Id": "LOGS", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.3154713841.00000000037F7000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
    00000004.00000002.3150994425.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
      00000000.00000002.3154713841.0000000003641000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        Process Memory Space: C5Zr4LSzmp.exe PID: 8180JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
          Process Memory Space: C5Zr4LSzmp.exe PID: 8180JoeSecurity_RedLineYara detected RedLine StealerJoe Security
            Click to see the 1 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.C5Zr4LSzmp.exe.37c3648.3.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              0.2.C5Zr4LSzmp.exe.37c3648.3.raw.unpackinfostealer_win_redline_stringsFinds Redline samples based on characteristic stringsSekoia.io
              • 0x24cc3:$gen01: ChromeGetRoamingName
              • 0x24ce8:$gen02: ChromeGetLocalName
              • 0x24d2b:$gen03: get_UserDomainName
              • 0x28bc4:$gen04: get_encrypted_key
              • 0x27943:$gen05: browserPaths
              • 0x27c19:$gen06: GetBrowsers
              • 0x27501:$gen07: get_InstalledInputLanguages
              • 0x239cc:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION
              • 0x3018:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}
              • 0x29006:$spe7: OFileInfopeFileInfora GFileInfoX StabFileInfole
              • 0x290a4:$spe8: ApGenericpDaGenericta\RGenericoamiGenericng\
              • 0x296be:$spe9: *wallet*
              • 0x219ea:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0
              • 0x21f14:$typ03: A937C899247696B6565665BE3BD09607F49A2042
              • 0x21fc1:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2
              • 0x21998:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60
              • 0x219c1:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280
              • 0x21b92:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301
              • 0x21de5:$typ11: 2A19BFD7333718195216588A698752C517111B02
              • 0x220d4:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
              0.2.C5Zr4LSzmp.exe.380e868.2.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                0.2.C5Zr4LSzmp.exe.380e868.2.raw.unpackinfostealer_win_redline_stringsFinds Redline samples based on characteristic stringsSekoia.io
                • 0x24cc3:$gen01: ChromeGetRoamingName
                • 0x24ce8:$gen02: ChromeGetLocalName
                • 0x24d2b:$gen03: get_UserDomainName
                • 0x28bc4:$gen04: get_encrypted_key
                • 0x27943:$gen05: browserPaths
                • 0x27c19:$gen06: GetBrowsers
                • 0x27501:$gen07: get_InstalledInputLanguages
                • 0x239cc:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION
                • 0x3018:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}
                • 0x29006:$spe7: OFileInfopeFileInfora GFileInfoX StabFileInfole
                • 0x290a4:$spe8: ApGenericpDaGenericta\RGenericoamiGenericng\
                • 0x296be:$spe9: *wallet*
                • 0x219ea:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0
                • 0x21f14:$typ03: A937C899247696B6565665BE3BD09607F49A2042
                • 0x21fc1:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2
                • 0x21998:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60
                • 0x219c1:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280
                • 0x21b92:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301
                • 0x21de5:$typ11: 2A19BFD7333718195216588A698752C517111B02
                • 0x220d4:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
                0.2.C5Zr4LSzmp.exe.380e868.2.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  Click to see the 7 entries

                  Sigma Signatures

                  No Sigma rule has matched

                  Suricata Signatures

                  No Suricata rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Found malware configuration
                  Source: 00000000.00000002.3154713841.0000000003641000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: RedLine {"C2 url": ["87.120.120.86:1912"], "Bot Id": "LOGS", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}
                  Multi AV Scanner detection for submitted file
                  Source: C5Zr4LSzmp.exeReversingLabs: Detection: 73%
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for sample
                  Source: C5Zr4LSzmp.exeJoe Sandbox ML: detected
                  Source: C5Zr4LSzmp.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: C5Zr4LSzmp.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdbV7z} source: C5Zr4LSzmp.exe, 00000004.00000002.3151264823.000000000128D000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\System.ServiceModel.pdb+ source: C5Zr4LSzmp.exe, 00000004.00000002.3151264823.000000000128D000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: SWhi.pdb source: C5Zr4LSzmp.exe
                  Source: Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb_f source: C5Zr4LSzmp.exe, 00000004.00000002.3151264823.00000000012F2000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.ServiceModel.pdb source: C5Zr4LSzmp.exe, 00000004.00000002.3151264823.00000000012F2000.00000004.00000020.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3151264823.000000000128D000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: SWhi.pdbSHA256 source: C5Zr4LSzmp.exe
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: C5Zr4LSzmp.exe, 00000004.00000002.3151264823.000000000128D000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\System.ServiceModel.pdbd source: C5Zr4LSzmp.exe, 00000004.00000002.3155445382.00000000065C0000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb source: C5Zr4LSzmp.exe, 00000004.00000002.3151264823.00000000012F2000.00000004.00000020.00020000.00000000.sdmp
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeCode function: 4x nop then jmp 06FC7A66h0_2_06FC6EE0

                  Networking

                  barindex
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: 87.120.120.86:1912
                  Source: global trafficTCP traffic: 192.168.2.10:49814 -> 87.120.120.86:1912
                  Source: Joe Sandbox ViewIP Address: 87.120.120.86 87.120.120.86
                  Source: Joe Sandbox ViewASN Name: UNACS-AS-BG8000BurgasBG UNACS-AS-BG8000BurgasBG
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                  Source: C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                  Source: C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                  Source: C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
                  Source: C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                  Source: C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                  Source: C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                  Source: C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                  Source: C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                  Source: C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                  Source: C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                  Source: C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rmX
                  Source: C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                  Source: C5Zr4LSzmp.exe, 00000000.00000002.3152713630.0000000002641000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                  Source: C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/
                  Source: C5Zr4LSzmp.exe, 00000004.00000002.3152207896.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003363000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000349E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000330E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000344F000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10LR
                  Source: C5Zr4LSzmp.exe, 00000004.00000002.3152207896.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003363000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000349E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000330E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000344F000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                  Source: C5Zr4LSzmp.exe, 00000004.00000002.3152207896.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003363000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000349E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000330E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000344F000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11LR
                  Source: C5Zr4LSzmp.exe, 00000004.00000002.3152207896.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003363000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000349E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000330E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000344F000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                  Source: C5Zr4LSzmp.exe, 00000004.00000002.3152207896.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003363000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000349E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000330E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000344F000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12LR
                  Source: C5Zr4LSzmp.exe, 00000004.00000002.3152207896.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003363000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000349E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000330E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000344F000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                  Source: C5Zr4LSzmp.exe, 00000004.00000002.3152207896.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003363000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000349E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000330E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000344F000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13LR
                  Source: C5Zr4LSzmp.exe, 00000004.00000002.3152207896.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003363000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000349E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000330E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000344F000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                  Source: C5Zr4LSzmp.exe, 00000004.00000002.3152207896.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003363000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000349E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000330E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000344F000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14LR
                  Source: C5Zr4LSzmp.exe, 00000004.00000002.3152207896.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003363000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000349E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000330E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000344F000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                  Source: C5Zr4LSzmp.exe, 00000004.00000002.3152207896.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003363000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000349E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000330E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000344F000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15LR
                  Source: C5Zr4LSzmp.exe, 00000004.00000002.3152207896.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003363000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000349E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000330E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000344F000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                  Source: C5Zr4LSzmp.exe, 00000004.00000002.3152207896.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003363000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000349E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000330E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000344F000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16LR
                  Source: C5Zr4LSzmp.exe, 00000004.00000002.3152207896.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003363000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000349E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000330E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000344F000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                  Source: C5Zr4LSzmp.exe, 00000004.00000002.3152207896.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003363000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000349E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000330E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000344F000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17LR
                  Source: C5Zr4LSzmp.exe, 00000004.00000002.3152207896.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003363000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000349E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000330E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000344F000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                  Source: C5Zr4LSzmp.exe, 00000004.00000002.3152207896.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003363000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000349E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000330E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000344F000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18LR
                  Source: C5Zr4LSzmp.exe, 00000004.00000002.3152207896.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003363000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000349E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000330E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000344F000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                  Source: C5Zr4LSzmp.exe, 00000004.00000002.3152207896.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003363000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000349E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000330E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000344F000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19LR
                  Source: C5Zr4LSzmp.exe, 00000004.00000002.3152207896.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003363000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000349E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000330E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000344F000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                  Source: C5Zr4LSzmp.exe, 00000004.00000002.3152207896.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003363000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000349E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000330E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000344F000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1LR
                  Source: C5Zr4LSzmp.exe, 00000004.00000002.3152207896.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003363000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000349E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000330E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000344F000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                  Source: C5Zr4LSzmp.exe, 00000004.00000002.3152207896.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003363000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000349E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000330E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000344F000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20LR
                  Source: C5Zr4LSzmp.exe, 00000004.00000002.3152207896.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003363000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000349E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000330E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000344F000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                  Source: C5Zr4LSzmp.exe, 00000004.00000002.3152207896.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003363000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000349E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000330E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000344F000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21LR
                  Source: C5Zr4LSzmp.exe, 00000004.00000002.3152207896.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003363000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000349E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000330E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000344F000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                  Source: C5Zr4LSzmp.exe, 00000004.00000002.3152207896.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003363000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000349E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000330E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000344F000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22LR
                  Source: C5Zr4LSzmp.exe, 00000004.00000002.3152207896.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003363000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000349E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000330E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000344F000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                  Source: C5Zr4LSzmp.exe, 00000004.00000002.3152207896.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003363000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000349E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000330E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000344F000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23LR
                  Source: C5Zr4LSzmp.exe, 00000004.00000002.3152207896.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003363000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000349E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000330E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000344F000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
                  Source: C5Zr4LSzmp.exe, 00000004.00000002.3152207896.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003363000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000349E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000330E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000344F000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24LR
                  Source: C5Zr4LSzmp.exe, 00000004.00000002.3152207896.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003363000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000349E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000330E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000344F000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
                  Source: C5Zr4LSzmp.exe, 00000004.00000002.3152207896.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003363000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000349E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000330E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000344F000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2LR
                  Source: C5Zr4LSzmp.exe, 00000004.00000002.3152207896.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003363000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000349E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000330E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000344F000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                  Source: C5Zr4LSzmp.exe, 00000004.00000002.3152207896.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003363000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000349E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000330E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000344F000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3LR
                  Source: C5Zr4LSzmp.exe, 00000004.00000002.3152207896.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003363000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000349E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000330E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000344F000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                  Source: C5Zr4LSzmp.exe, 00000004.00000002.3152207896.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003363000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000349E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000330E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000344F000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4LR
                  Source: C5Zr4LSzmp.exe, 00000004.00000002.3152207896.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003363000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000349E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000330E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000344F000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                  Source: C5Zr4LSzmp.exe, 00000004.00000002.3152207896.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003363000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000349E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000330E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000344F000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5LR
                  Source: C5Zr4LSzmp.exe, 00000004.00000002.3152207896.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003363000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000349E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000330E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000344F000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                  Source: C5Zr4LSzmp.exe, 00000004.00000002.3152207896.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003363000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000349E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000330E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000344F000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6LR
                  Source: C5Zr4LSzmp.exe, 00000004.00000002.3152207896.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003363000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000349E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000330E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000344F000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                  Source: C5Zr4LSzmp.exe, 00000004.00000002.3152207896.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003363000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000349E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000330E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000344F000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7LR
                  Source: C5Zr4LSzmp.exe, 00000004.00000002.3152207896.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003363000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000349E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000330E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000344F000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                  Source: C5Zr4LSzmp.exe, 00000004.00000002.3152207896.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003363000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000349E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000330E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000344F000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8LR
                  Source: C5Zr4LSzmp.exe, 00000004.00000002.3152207896.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003363000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000349E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000330E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000344F000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                  Source: C5Zr4LSzmp.exe, 00000004.00000002.3152207896.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003363000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000349E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000330E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000344F000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9LR
                  Source: C5Zr4LSzmp.exe, 00000004.00000002.3152207896.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003363000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000349E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000330E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000344F000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                  Source: C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/x
                  Source: C5Zr4LSzmp.exe, 00000000.00000002.3154713841.0000000003641000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000000.00000002.3154713841.00000000037F7000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3150994425.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 0.2.C5Zr4LSzmp.exe.37c3648.3.raw.unpack, type: UNPACKEDPEMatched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
                  Source: 0.2.C5Zr4LSzmp.exe.380e868.2.raw.unpack, type: UNPACKEDPEMatched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
                  Source: 0.2.C5Zr4LSzmp.exe.380e868.2.unpack, type: UNPACKEDPEMatched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
                  Source: 0.2.C5Zr4LSzmp.exe.37c3648.3.unpack, type: UNPACKEDPEMatched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
                  Source: 4.2.C5Zr4LSzmp.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
                  Source: 0.2.C5Zr4LSzmp.exe.3734228.1.raw.unpack, type: UNPACKEDPEMatched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeCode function: 0_2_00C03E340_2_00C03E34
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeCode function: 0_2_00C0E1240_2_00C0E124
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeCode function: 0_2_00C06F900_2_00C06F90
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeCode function: 0_2_057767B00_2_057767B0
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeCode function: 0_2_057767A20_2_057767A2
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeCode function: 0_2_06FC88FD0_2_06FC88FD
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeCode function: 0_2_06FC4FF80_2_06FC4FF8
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeCode function: 0_2_06FC4BC00_2_06FC4BC0
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeCode function: 0_2_06FC34E80_2_06FC34E8
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeCode function: 0_2_06FC30B00_2_06FC30B0
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeCode function: 0_2_06FC39200_2_06FC3920
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeCode function: 0_2_089C41170_2_089C4117
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeCode function: 0_2_089C12400_2_089C1240
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeCode function: 0_2_089C36680_2_089C3668
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeCode function: 0_2_089C6D080_2_089C6D08
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeCode function: 0_2_089C11F80_2_089C11F8
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeCode function: 0_2_089C12300_2_089C1230
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeCode function: 4_2_02FDDC744_2_02FDDC74
                  Source: C5Zr4LSzmp.exe, 00000000.00000002.3154713841.0000000003842000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSteanings.exe8 vs C5Zr4LSzmp.exe
                  Source: C5Zr4LSzmp.exe, 00000000.00000002.3154713841.0000000003842000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs C5Zr4LSzmp.exe
                  Source: C5Zr4LSzmp.exe, 00000000.00000002.3154713841.0000000003641000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs C5Zr4LSzmp.exe
                  Source: C5Zr4LSzmp.exe, 00000000.00000002.3154713841.0000000003641000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs C5Zr4LSzmp.exe
                  Source: C5Zr4LSzmp.exe, 00000000.00000002.3151162968.00000000007FE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs C5Zr4LSzmp.exe
                  Source: C5Zr4LSzmp.exe, 00000000.00000002.3154713841.00000000037F7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSteanings.exe8 vs C5Zr4LSzmp.exe
                  Source: C5Zr4LSzmp.exe, 00000000.00000000.1289913266.0000000000162000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameSWhi.exeJ vs C5Zr4LSzmp.exe
                  Source: C5Zr4LSzmp.exe, 00000000.00000002.3160144106.0000000006F00000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs C5Zr4LSzmp.exe
                  Source: C5Zr4LSzmp.exe, 00000000.00000002.3159675507.0000000006BA0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs C5Zr4LSzmp.exe
                  Source: C5Zr4LSzmp.exe, 00000004.00000002.3150994425.0000000000446000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSteanings.exe8 vs C5Zr4LSzmp.exe
                  Source: C5Zr4LSzmp.exeBinary or memory string: OriginalFilenameSWhi.exeJ vs C5Zr4LSzmp.exe
                  Source: C5Zr4LSzmp.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 0.2.C5Zr4LSzmp.exe.37c3648.3.raw.unpack, type: UNPACKEDPEMatched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
                  Source: 0.2.C5Zr4LSzmp.exe.380e868.2.raw.unpack, type: UNPACKEDPEMatched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
                  Source: 0.2.C5Zr4LSzmp.exe.380e868.2.unpack, type: UNPACKEDPEMatched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
                  Source: 0.2.C5Zr4LSzmp.exe.37c3648.3.unpack, type: UNPACKEDPEMatched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
                  Source: 4.2.C5Zr4LSzmp.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
                  Source: 0.2.C5Zr4LSzmp.exe.3734228.1.raw.unpack, type: UNPACKEDPEMatched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
                  Source: C5Zr4LSzmp.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: classification engineClassification label: mal96.troj.evad.winEXE@3/1@0/1
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\C5Zr4LSzmp.exe.logJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeMutant created: NULL
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver
                  Source: C5Zr4LSzmp.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C5Zr4LSzmp.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: C5Zr4LSzmp.exeReversingLabs: Detection: 73%
                  Source: unknownProcess created: C:\Users\user\Desktop\C5Zr4LSzmp.exe "C:\Users\user\Desktop\C5Zr4LSzmp.exe"
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess created: C:\Users\user\Desktop\C5Zr4LSzmp.exe "C:\Users\user\Desktop\C5Zr4LSzmp.exe"
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess created: C:\Users\user\Desktop\C5Zr4LSzmp.exe "C:\Users\user\Desktop\C5Zr4LSzmp.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeSection loaded: textshaping.dllJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeSection loaded: msvcp140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C5Zr4LSzmp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: C5Zr4LSzmp.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: C5Zr4LSzmp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdbV7z} source: C5Zr4LSzmp.exe, 00000004.00000002.3151264823.000000000128D000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\System.ServiceModel.pdb+ source: C5Zr4LSzmp.exe, 00000004.00000002.3151264823.000000000128D000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: SWhi.pdb source: C5Zr4LSzmp.exe
                  Source: Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb_f source: C5Zr4LSzmp.exe, 00000004.00000002.3151264823.00000000012F2000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.ServiceModel.pdb source: C5Zr4LSzmp.exe, 00000004.00000002.3151264823.00000000012F2000.00000004.00000020.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3151264823.000000000128D000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: SWhi.pdbSHA256 source: C5Zr4LSzmp.exe
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: C5Zr4LSzmp.exe, 00000004.00000002.3151264823.000000000128D000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\System.ServiceModel.pdbd source: C5Zr4LSzmp.exe, 00000004.00000002.3155445382.00000000065C0000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb source: C5Zr4LSzmp.exe, 00000004.00000002.3151264823.00000000012F2000.00000004.00000020.00020000.00000000.sdmp
                  Source: C5Zr4LSzmp.exeStatic PE information: 0xB0E81075 [Sat Jan 19 20:03:01 2064 UTC]
                  Source: C5Zr4LSzmp.exeStatic PE information: section name: .text entropy: 7.619026885043087
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Yara detected AntiVM3
                  Source: Yara matchFile source: Process Memory Space: C5Zr4LSzmp.exe PID: 8180, type: MEMORYSTR
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeMemory allocated: BA0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeMemory allocated: 2640000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeMemory allocated: 24F0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeMemory allocated: 8C40000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeMemory allocated: 9C40000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeMemory allocated: 9E60000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeMemory allocated: AE60000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeMemory allocated: 2FD0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeMemory allocated: 3200000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeMemory allocated: 3000000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeThread delayed: delay time: 240000Jump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exe TID: 7224Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exe TID: 7176Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exe TID: 7224Thread sleep time: -240000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exe TID: 5920Thread sleep time: -30000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeThread delayed: delay time: 240000Jump to behavior
                  Source: C5Zr4LSzmp.exe, 00000004.00000002.3151264823.0000000001332000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Injects a PE file into a foreign processes
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeMemory written: C:\Users\user\Desktop\C5Zr4LSzmp.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess created: C:\Users\user\Desktop\C5Zr4LSzmp.exe "C:\Users\user\Desktop\C5Zr4LSzmp.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Users\user\Desktop\C5Zr4LSzmp.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Users\user\Desktop\C5Zr4LSzmp.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected RedLine Stealer
                  Source: Yara matchFile source: 0.2.C5Zr4LSzmp.exe.37c3648.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.C5Zr4LSzmp.exe.380e868.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.C5Zr4LSzmp.exe.380e868.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.C5Zr4LSzmp.exe.37c3648.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.C5Zr4LSzmp.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.C5Zr4LSzmp.exe.3734228.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.3154713841.00000000037F7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.3150994425.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.3154713841.0000000003641000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: C5Zr4LSzmp.exe PID: 8180, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: C5Zr4LSzmp.exe PID: 5848, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected RedLine Stealer
                  Source: Yara matchFile source: 0.2.C5Zr4LSzmp.exe.37c3648.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.C5Zr4LSzmp.exe.380e868.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.C5Zr4LSzmp.exe.380e868.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.C5Zr4LSzmp.exe.37c3648.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.C5Zr4LSzmp.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.C5Zr4LSzmp.exe.3734228.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.3154713841.00000000037F7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.3150994425.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.3154713841.0000000003641000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: C5Zr4LSzmp.exe PID: 8180, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: C5Zr4LSzmp.exe PID: 5848, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
                  DLL Side-Loading                  		111
                  Process Injection                  		1
                  Masquerading                  		OS Credential Dumping1
                  Security Software Discovery                  		Remote Services1
                  Archive Collected Data                  		1
                  Encrypted Channel                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                  DLL Side-Loading                  		1
                  Disable or Modify Tools                  		LSASS Memory31
                  Virtualization/Sandbox Evasion                  		Remote Desktop ProtocolData from Removable Media1
                  Non-Standard Port                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)31
                  Virtualization/Sandbox Evasion                  		Security Account Manager12
                  System Information Discovery                  		SMB/Windows Admin SharesData from Network Shared Drive1
                  Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
                  Process Injection                  		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
                  Obfuscated Files or Information                  		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                  Software Packing                  		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  Timestomp                  		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                  DLL Side-Loading                  		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  C5Zr4LSzmp.exe74%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                  C5Zr4LSzmp.exe100%Joe Sandbox ML

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  87.120.120.86:19120%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  No contacted domains info

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  87.120.120.86:1912true
                  • Avira URL Cloud: safe
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://tempuri.org/Entity/Id10ResponseC5Zr4LSzmp.exe, 00000004.00000002.3152207896.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003363000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000349E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000330E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000344F000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://tempuri.org/Entity/Id24LRC5Zr4LSzmp.exe, 00000004.00000002.3152207896.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003363000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000349E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000330E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000344F000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://tempuri.org/Entity/Id8ResponseC5Zr4LSzmp.exe, 00000004.00000002.3152207896.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003363000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000349E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000330E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000344F000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://tempuri.org/Entity/Id22LRC5Zr4LSzmp.exe, 00000004.00000002.3152207896.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003363000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000349E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000330E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000344F000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://tempuri.org/Entity/Id20LRC5Zr4LSzmp.exe, 00000004.00000002.3152207896.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003363000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000349E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000330E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000344F000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://tempuri.org/Entity/Id12ResponseC5Zr4LSzmp.exe, 00000004.00000002.3152207896.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003363000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000349E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000330E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000344F000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://schemas.xmlsoap.org/soap/envelope/C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://tempuri.org/Entity/Id2ResponseC5Zr4LSzmp.exe, 00000004.00000002.3152207896.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003363000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000349E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000330E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000344F000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://tempuri.org/Entity/Id21ResponseC5Zr4LSzmp.exe, 00000004.00000002.3152207896.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003363000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000349E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000330E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000344F000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://tempuri.org/Entity/Id19LRC5Zr4LSzmp.exe, 00000004.00000002.3152207896.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003363000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000349E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000330E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000344F000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://tempuri.org/Entity/Id23ResponseC5Zr4LSzmp.exe, 00000004.00000002.3152207896.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003363000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000349E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000330E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000344F000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://tempuri.org/Entity/Id17LRC5Zr4LSzmp.exe, 00000004.00000002.3152207896.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003363000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000349E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000330E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000344F000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://tempuri.org/Entity/Id15LRC5Zr4LSzmp.exe, 00000004.00000002.3152207896.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003363000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000349E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000330E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000344F000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://tempuri.org/Entity/Id9LRC5Zr4LSzmp.exe, 00000004.00000002.3152207896.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003363000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000349E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000330E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000344F000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://tempuri.org/Entity/Id19ResponseC5Zr4LSzmp.exe, 00000004.00000002.3152207896.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003363000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000349E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000330E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000344F000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://tempuri.org/Entity/Id13LRC5Zr4LSzmp.exe, 00000004.00000002.3152207896.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003363000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000349E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000330E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000344F000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://tempuri.org/Entity/Id7LRC5Zr4LSzmp.exe, 00000004.00000002.3152207896.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003363000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000349E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000330E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000344F000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://tempuri.org/Entity/Id11LRC5Zr4LSzmp.exe, 00000004.00000002.3152207896.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003363000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000349E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000330E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000344F000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponseC5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://schemas.xmlsoap.org/ws/2004/08/addressing/faultC5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://tempuri.org/Entity/Id17ResponseC5Zr4LSzmp.exe, 00000004.00000002.3152207896.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003363000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000349E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000330E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000344F000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://tempuri.org/Entity/Id1LRC5Zr4LSzmp.exe, 00000004.00000002.3152207896.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003363000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000349E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000330E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000344F000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequenceC5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://tempuri.org/Entity/Id5LRC5Zr4LSzmp.exe, 00000004.00000002.3152207896.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003363000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000349E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000330E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000344F000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://tempuri.org/Entity/Id20ResponseC5Zr4LSzmp.exe, 00000004.00000002.3152207896.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003363000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000349E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000330E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000344F000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://tempuri.org/Entity/Id3LRC5Zr4LSzmp.exe, 00000004.00000002.3152207896.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003363000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000349E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000330E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000344F000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://tempuri.org/Entity/Id15ResponseC5Zr4LSzmp.exe, 00000004.00000002.3152207896.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003363000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000349E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000330E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000344F000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://tempuri.org/Entity/Id13ResponseC5Zr4LSzmp.exe, 00000004.00000002.3152207896.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003363000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000349E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000330E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000344F000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://tempuri.org/Entity/Id4ResponseC5Zr4LSzmp.exe, 00000004.00000002.3152207896.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003363000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000349E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000330E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000344F000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameC5Zr4LSzmp.exe, 00000000.00000002.3152713630.0000000002641000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/right/possesspropertyC5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://tempuri.org/Entity/Id6ResponseC5Zr4LSzmp.exe, 00000004.00000002.3152207896.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003363000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000349E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000330E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000344F000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://api.ip.sb/ipC5Zr4LSzmp.exe, 00000000.00000002.3154713841.0000000003641000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000000.00000002.3154713841.00000000037F7000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3150994425.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgementC5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://tempuri.org/Entity/Id23LRC5Zr4LSzmp.exe, 00000004.00000002.3152207896.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003363000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000349E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000330E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000344F000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://tempuri.org/Entity/Id7ResponseC5Zr4LSzmp.exe, 00000004.00000002.3152207896.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003363000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000349E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000330E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000344F000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://tempuri.org/Entity/Id21LRC5Zr4LSzmp.exe, 00000004.00000002.3152207896.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003363000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000349E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000330E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000344F000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymousC5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://tempuri.org/xC5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://tempuri.org/Entity/Id11ResponseC5Zr4LSzmp.exe, 00000004.00000002.3152207896.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003363000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000349E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000330E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000344F000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://tempuri.org/Entity/Id9ResponseC5Zr4LSzmp.exe, 00000004.00000002.3152207896.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003363000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000349E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000330E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000344F000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://tempuri.org/Entity/Id22ResponseC5Zr4LSzmp.exe, 00000004.00000002.3152207896.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003363000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000349E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000330E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000344F000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://tempuri.org/Entity/Id24ResponseC5Zr4LSzmp.exe, 00000004.00000002.3152207896.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003363000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000349E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000330E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000344F000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://tempuri.org/Entity/Id1ResponseC5Zr4LSzmp.exe, 00000004.00000002.3152207896.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003363000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000349E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000330E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000344F000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedC5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://tempuri.org/Entity/Id18LRC5Zr4LSzmp.exe, 00000004.00000002.3152207896.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003363000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000349E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000330E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000344F000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://tempuri.org/Entity/Id16LRC5Zr4LSzmp.exe, 00000004.00000002.3152207896.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003363000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000349E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000330E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000344F000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://tempuri.org/Entity/Id8LRC5Zr4LSzmp.exe, 00000004.00000002.3152207896.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003363000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000349E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000330E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000344F000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://tempuri.org/Entity/Id14LRC5Zr4LSzmp.exe, 00000004.00000002.3152207896.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003363000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000349E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000330E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000344F000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://tempuri.org/Entity/Id6LRC5Zr4LSzmp.exe, 00000004.00000002.3152207896.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003363000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000349E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000330E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000344F000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://tempuri.org/Entity/Id18ResponseC5Zr4LSzmp.exe, 00000004.00000002.3152207896.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003363000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000349E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000330E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000344F000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://tempuri.org/Entity/C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://tempuri.org/Entity/Id12LRC5Zr4LSzmp.exe, 00000004.00000002.3152207896.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003363000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000349E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000330E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000344F000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://schemas.xmlsoap.org/ws/2004/08/addressingC5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://tempuri.org/Entity/Id10LRC5Zr4LSzmp.exe, 00000004.00000002.3152207896.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003363000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000349E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000330E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000344F000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://tempuri.org/Entity/Id4LRC5Zr4LSzmp.exe, 00000004.00000002.3152207896.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003363000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000349E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000330E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000344F000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://tempuri.org/Entity/Id2LRC5Zr4LSzmp.exe, 00000004.00000002.3152207896.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003363000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000349E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000330E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000344F000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://schemas.xmlsoap.org/ws/2005/02/rmXC5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://tempuri.org/Entity/Id3ResponseC5Zr4LSzmp.exe, 00000004.00000002.3152207896.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003363000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000349E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000330E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000344F000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessageC5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          http://tempuri.org/Entity/Id16ResponseC5Zr4LSzmp.exe, 00000004.00000002.3152207896.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003363000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000349E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000330E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000344F000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            http://tempuri.org/Entity/Id5ResponseC5Zr4LSzmp.exe, 00000004.00000002.3152207896.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003363000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000349E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000330E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000344F000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceC5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                http://schemas.xmlsoap.org/soap/actor/nextC5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsC5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    http://tempuri.org/Entity/Id14ResponseC5Zr4LSzmp.exe, 00000004.00000002.3152207896.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003363000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003201000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000349E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000330E000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.000000000344F000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000004.00000002.3152207896.0000000003400000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                      		high

                                                                                                                                                      World Map of Contacted IPs

                                                                                                                                                      • No. of IPs < 25%
                                                                                                                                                      • 25% < No. of IPs < 50%
                                                                                                                                                      • 50% < No. of IPs < 75%
                                                                                                                                                      • 75% < No. of IPs

                                                                                                                                                      Public IPs

                                                                                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                      87.120.120.86
                                                                                                                                                      		unknownBulgaria
                                                                                                                                                      		25206UNACS-AS-BG8000BurgasBGtrue

                                                                                                                                                      General Information

                                                                                                                                                      Joe Sandbox version:42.0.0 Malachite
                                                                                                                                                      Analysis ID:1588242
                                                                                                                                                      Start date and time:2025-01-10 23:04:12 +01:00
                                                                                                                                                      Joe Sandbox product:CloudBasic
                                                                                                                                                      Overall analysis duration:0h 6m 2s
                                                                                                                                                      Hypervisor based Inspection enabled:false
                                                                                                                                                      Report type:full
                                                                                                                                                      Cookbook file name:default.jbs
                                                                                                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                      Run name:Run with higher sleep bypass
                                                                                                                                                      Number of analysed new started processes analysed:8
                                                                                                                                                      Number of new started drivers analysed:0
                                                                                                                                                      Number of existing processes analysed:0
                                                                                                                                                      Number of existing drivers analysed:0
                                                                                                                                                      Number of injected processes analysed:0
                                                                                                                                                      Technologies:
                                                                                                                                                      • HCA enabled
                                                                                                                                                      • EGA enabled
                                                                                                                                                      • AMSI enabled
                                                                                                                                                      Analysis Mode:default
                                                                                                                                                      Analysis stop reason:Timeout
                                                                                                                                                      Sample name:C5Zr4LSzmp.exe
                                                                                                                                                      renamed because original name is a hash value
                                                                                                                                                      Original Sample Name:e14cf1238643d04a93157a0416329f7f8b08a9ceff996b870be593df328d6953.exe
                                                                                                                                                      Detection:MAL
                                                                                                                                                      Classification:mal96.troj.evad.winEXE@3/1@0/1
                                                                                                                                                      EGA Information:
                                                                                                                                                      • Successful, ratio: 100%
                                                                                                                                                      HCA Information:
                                                                                                                                                      • Successful, ratio: 98%
                                                                                                                                                      • Number of executed functions: 126
                                                                                                                                                      • Number of non-executed functions: 11
                                                                                                                                                      Cookbook Comments:
                                                                                                                                                      • Found application associated with file extension: .exe
                                                                                                                                                      • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                                                                                                                                      • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

                                                                                                                                                      Warnings

                                                                                                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                                                                                      • Excluded IPs from analysis (whitelisted): 13.107.246.45, 184.28.90.27, 172.202.163.200
                                                                                                                                                      • Excluded domains from analysis (whitelisted): fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                      • VT rate limit hit for: C5Zr4LSzmp.exe

                                                                                                                                                      Simulations

                                                                                                                                                      Behavior and APIs

                                                                                                                                                      No simulations

                                                                                                                                                      Joe Sandbox View / Context

                                                                                                                                                      IPs

                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                      87.120.120.86VmoLw6EKj5.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                        Xf3rn1smZw.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                          2eRd5imEKU.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                            2eRd5imEKU.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                              17.12.2024 ________.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                #U0417#U0430#U043f#U0440#U043e#U0441 11.12.2024.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                  po4877383.exeGet hashmaliciousRedLineBrowse

                                                                                                                                                                    Domains

                                                                                                                                                                    No context

                                                                                                                                                                    ASNs

                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                    UNACS-AS-BG8000BurgasBG2XnMqJW0u1.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                    • 87.120.120.15
                                                                                                                                                                    VmoLw6EKj5.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                    • 87.120.120.86
                                                                                                                                                                    QwMcsmYcxv.exeGet hashmaliciousAsyncRAT, VenomRATBrowse
                                                                                                                                                                    • 87.120.120.15
                                                                                                                                                                    QwMcsmYcxv.exeGet hashmaliciousAsyncRAT, VenomRATBrowse
                                                                                                                                                                    • 87.120.120.15
                                                                                                                                                                    Xf3rn1smZw.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                    • 87.120.120.86
                                                                                                                                                                    wqSmINeWgm.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                    • 87.120.120.7
                                                                                                                                                                    2eRd5imEKU.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                    • 87.120.120.86
                                                                                                                                                                    2eRd5imEKU.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                    • 87.120.120.86
                                                                                                                                                                    17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                    • 87.120.116.179

                                                                                                                                                                    JA3 Fingerprints

                                                                                                                                                                    No context

                                                                                                                                                                    Dropped Files

                                                                                                                                                                    No context

                                                                                                                                                                    Created / dropped Files

                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\C5Zr4LSzmp.exe.log

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\C5Zr4LSzmp.exe
                                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1415
                                                                                                                                                                    Entropy (8bit):5.352427679901606
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPE4KMRaKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPHKMRatHo6hAH4
                                                                                                                                                                    MD5:97AD91F1C1F572C945DA12233082171D
                                                                                                                                                                    SHA1:D5E33DDAB37E32E416FC40419FB26B3C0563519D
                                                                                                                                                                    SHA-256:3F64591E0447E6F5034BC69A8A8D4C7ED36DAC5FE1E408401AE1B98F0D915F7E
                                                                                                                                                                    SHA-512:8FAEED342DADC17571F711DDC1BE67C79A51CA5BD56B5DA13E472ED45FC4EC6F1DC704BA92E81E97F5ECFD73F3D88F9B9CD9AE4EADDF993BFF826627215FBBCE
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:moderate, very likely benign file
                                                                                                                                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data\1b8c564fd69668e6e62d136259980d9e\System.Data.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fc

                                                                                                                                                                    Static File Info

                                                                                                                                                                    General

                                                                                                                                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                    Entropy (8bit):7.605295850065602
                                                                                                                                                                    TrID:
                                                                                                                                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                                                                                                                    • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                                                                                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                                                                    • Windows Screen Saver (13104/52) 0.07%
                                                                                                                                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                                                    File name:C5Zr4LSzmp.exe
                                                                                                                                                                    File size:872'448 bytes
                                                                                                                                                                    MD5:1cd6afe88ba532ca70c927d90314eac8
                                                                                                                                                                    SHA1:3e5c107a20bad54a81ec0cb7e18e4dddcfca003b
                                                                                                                                                                    SHA256:e14cf1238643d04a93157a0416329f7f8b08a9ceff996b870be593df328d6953
                                                                                                                                                                    SHA512:d338745cc39ad49e6d94251d2bbc2dc2c2af77ee37fe4fd952ea765a3159e45adb2da316fab36a2f39344d87ed37c0eac91a4f1026e5c31936f38e7a28f2d3bd
                                                                                                                                                                    SSDEEP:24576:yuxXOKVpvO/cmyGMELxcPZrUm/t3rwFO:rxXdfOEOM6SPtUCQ
                                                                                                                                                                    TLSH:0A05E020376ECB06C52947F40A70E2B813B97D9EE811E21B6DD9BEDF7872F154A10683
                                                                                                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u.................0..4..........6R... ...`....@.. ....................................@................................

                                                                                                                                                                    File Icon

                                                                                                                                                                    Icon Hash:32642092d4f29244

                                                                                                                                                                    Static PE Info

                                                                                                                                                                    General

                                                                                                                                                                    Entrypoint:0x4d5236
                                                                                                                                                                    Entrypoint Section:.text
                                                                                                                                                                    Digitally signed:false
                                                                                                                                                                    Imagebase:0x400000
                                                                                                                                                                    Subsystem:windows gui
                                                                                                                                                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                                                    Time Stamp:0xB0E81075 [Sat Jan 19 20:03:01 2064 UTC]
                                                                                                                                                                    TLS Callbacks:
                                                                                                                                                                    CLR (.Net) Version:
                                                                                                                                                                    OS Version Major:4
                                                                                                                                                                    OS Version Minor:0
                                                                                                                                                                    File Version Major:4
                                                                                                                                                                    File Version Minor:0
                                                                                                                                                                    Subsystem Version Major:4
                                                                                                                                                                    Subsystem Version Minor:0
                                                                                                                                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                                                    Entrypoint Preview

                                                                                                                                                                    Instruction
                                                                                                                                                                    jmp dword ptr [00402000h]
                                                                                                                                                                    push ebx
                                                                                                                                                                    add byte ptr [ecx+00h], bh
                                                                                                                                                                    jnc 00007FED706E8D22h
                                                                                                                                                                    je 00007FED706E8D22h
                                                                                                                                                                    add byte ptr [ebp+00h], ch
                                                                                                                                                                    add byte ptr [ecx+00h], al
                                                                                                                                                                    arpl word ptr [eax], ax
                                                                                                                                                                    je 00007FED706E8D22h
                                                                                                                                                                    imul eax, dword ptr [eax], 00610076h
                                                                                                                                                                    je 00007FED706E8D22h
                                                                                                                                                                    outsd
                                                                                                                                                                    add byte ptr [edx+00h], dh
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al

                                                                                                                                                                    Data Directories

                                                                                                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xd51e40x4f.text
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xd60000x1714.rsrc
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xd80000xc.reloc
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0xd2bec0x70.text
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                    Sections

                                                                                                                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                    .text0x20000xd325c0xd3400277898f4c3a94b84e4dac44cc949fdd9False0.834451275887574data7.619026885043087IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                    .rsrc0xd60000x17140x1800baf0099e104e36d99ed0c61fa11226d7False0.3846028645833333data5.0988844986283475IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                    .reloc0xd80000xc0x200470b862ce9d1fb587fe50bf636605e20False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                    Resources

                                                                                                                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                    RT_ICON0xd61300x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 40960.3726547842401501
                                                                                                                                                                    RT_GROUP_ICON0xd71d80x14data1.1
                                                                                                                                                                    RT_VERSION0xd71ec0x33cdata0.42995169082125606
                                                                                                                                                                    RT_MANIFEST0xd75280x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                                                                                                                    Imports

                                                                                                                                                                    DLLImport
                                                                                                                                                                    mscoree.dll_CorExeMain

                                                                                                                                                                    Network Behavior

                                                                                                                                                                    Network Port Distribution

                                                                                                                                                                    TCP Packets

                                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                    Jan 10, 2025 23:05:23.060683012 CET498141912192.168.2.1087.120.120.86
                                                                                                                                                                    Jan 10, 2025 23:05:23.066571951 CET19124981487.120.120.86192.168.2.10
                                                                                                                                                                    Jan 10, 2025 23:05:23.066652060 CET498141912192.168.2.1087.120.120.86
                                                                                                                                                                    Jan 10, 2025 23:05:23.079607010 CET498141912192.168.2.1087.120.120.86
                                                                                                                                                                    Jan 10, 2025 23:05:23.086848021 CET19124981487.120.120.86192.168.2.10
                                                                                                                                                                    Jan 10, 2025 23:05:44.469861984 CET19124981487.120.120.86192.168.2.10
                                                                                                                                                                    Jan 10, 2025 23:05:44.469944000 CET498141912192.168.2.1087.120.120.86
                                                                                                                                                                    Jan 10, 2025 23:05:44.498743057 CET498141912192.168.2.1087.120.120.86
                                                                                                                                                                    Jan 10, 2025 23:05:49.528203964 CET499801912192.168.2.1087.120.120.86
                                                                                                                                                                    Jan 10, 2025 23:05:49.533063889 CET19124998087.120.120.86192.168.2.10
                                                                                                                                                                    Jan 10, 2025 23:05:49.533152103 CET499801912192.168.2.1087.120.120.86
                                                                                                                                                                    Jan 10, 2025 23:05:49.533394098 CET499801912192.168.2.1087.120.120.86
                                                                                                                                                                    Jan 10, 2025 23:05:49.538170099 CET19124998087.120.120.86192.168.2.10
                                                                                                                                                                    Jan 10, 2025 23:06:10.944776058 CET19124998087.120.120.86192.168.2.10
                                                                                                                                                                    Jan 10, 2025 23:06:10.944948912 CET499801912192.168.2.1087.120.120.86
                                                                                                                                                                    Jan 10, 2025 23:06:10.945225954 CET499801912192.168.2.1087.120.120.86
                                                                                                                                                                    Jan 10, 2025 23:06:15.947681904 CET499821912192.168.2.1087.120.120.86
                                                                                                                                                                    Jan 10, 2025 23:06:15.952550888 CET19124998287.120.120.86192.168.2.10
                                                                                                                                                                    Jan 10, 2025 23:06:15.952702999 CET499821912192.168.2.1087.120.120.86
                                                                                                                                                                    Jan 10, 2025 23:06:15.952903032 CET499821912192.168.2.1087.120.120.86
                                                                                                                                                                    Jan 10, 2025 23:06:15.957674026 CET19124998287.120.120.86192.168.2.10
                                                                                                                                                                    Jan 10, 2025 23:06:37.316369057 CET19124998287.120.120.86192.168.2.10
                                                                                                                                                                    Jan 10, 2025 23:06:37.316550970 CET499821912192.168.2.1087.120.120.86
                                                                                                                                                                    Jan 10, 2025 23:06:37.316984892 CET499821912192.168.2.1087.120.120.86
                                                                                                                                                                    Jan 10, 2025 23:06:42.322971106 CET499841912192.168.2.1087.120.120.86
                                                                                                                                                                    Jan 10, 2025 23:06:42.327934980 CET19124998487.120.120.86192.168.2.10
                                                                                                                                                                    Jan 10, 2025 23:06:42.328072071 CET499841912192.168.2.1087.120.120.86
                                                                                                                                                                    Jan 10, 2025 23:06:42.328311920 CET499841912192.168.2.1087.120.120.86
                                                                                                                                                                    Jan 10, 2025 23:06:42.333146095 CET19124998487.120.120.86192.168.2.10
                                                                                                                                                                    Jan 10, 2025 23:07:03.742754936 CET19124998487.120.120.86192.168.2.10
                                                                                                                                                                    Jan 10, 2025 23:07:03.742835999 CET499841912192.168.2.1087.120.120.86
                                                                                                                                                                    Jan 10, 2025 23:07:03.743138075 CET499841912192.168.2.1087.120.120.86
                                                                                                                                                                    Jan 10, 2025 23:07:08.760191917 CET499851912192.168.2.1087.120.120.86
                                                                                                                                                                    Jan 10, 2025 23:07:08.765141964 CET19124998587.120.120.86192.168.2.10
                                                                                                                                                                    Jan 10, 2025 23:07:08.765230894 CET499851912192.168.2.1087.120.120.86
                                                                                                                                                                    Jan 10, 2025 23:07:08.765441895 CET499851912192.168.2.1087.120.120.86
                                                                                                                                                                    Jan 10, 2025 23:07:08.770220041 CET19124998587.120.120.86192.168.2.10
                                                                                                                                                                    Jan 10, 2025 23:07:30.196832895 CET19124998587.120.120.86192.168.2.10
                                                                                                                                                                    Jan 10, 2025 23:07:30.196932077 CET499851912192.168.2.1087.120.120.86
                                                                                                                                                                    Jan 10, 2025 23:07:30.197184086 CET499851912192.168.2.1087.120.120.86
                                                                                                                                                                    Jan 10, 2025 23:07:35.213841915 CET499861912192.168.2.1087.120.120.86
                                                                                                                                                                    Jan 10, 2025 23:07:35.218914032 CET19124998687.120.120.86192.168.2.10
                                                                                                                                                                    Jan 10, 2025 23:07:35.219095945 CET499861912192.168.2.1087.120.120.86
                                                                                                                                                                    Jan 10, 2025 23:07:35.219336033 CET499861912192.168.2.1087.120.120.86
                                                                                                                                                                    Jan 10, 2025 23:07:35.224200010 CET19124998687.120.120.86192.168.2.10
                                                                                                                                                                    Jan 10, 2025 23:07:56.585714102 CET19124998687.120.120.86192.168.2.10
                                                                                                                                                                    Jan 10, 2025 23:07:56.586209059 CET499861912192.168.2.1087.120.120.86
                                                                                                                                                                    Jan 10, 2025 23:07:56.586534977 CET499861912192.168.2.1087.120.120.86
                                                                                                                                                                    Jan 10, 2025 23:08:01.604302883 CET499871912192.168.2.1087.120.120.86
                                                                                                                                                                    Jan 10, 2025 23:08:01.609201908 CET19124998787.120.120.86192.168.2.10
                                                                                                                                                                    Jan 10, 2025 23:08:01.609277010 CET499871912192.168.2.1087.120.120.86
                                                                                                                                                                    Jan 10, 2025 23:08:01.609558105 CET499871912192.168.2.1087.120.120.86
                                                                                                                                                                    Jan 10, 2025 23:08:01.614365101 CET19124998787.120.120.86192.168.2.10

                                                                                                                                                                    Statistics

                                                                                                                                                                    CPU Usage

                                                                                                                                                                    Click to jump to process

                                                                                                                                                                    Memory Usage

                                                                                                                                                                    Click to jump to process

                                                                                                                                                                    High Level Behavior Distribution

                                                                                                                                                                    Click to dive into process behavior distribution

                                                                                                                                                                    Behavior

                                                                                                                                                                    Click to jump to process

                                                                                                                                                                    System Behavior

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:0
                                                                                                                                                                    Start time:17:05:05
                                                                                                                                                                    Start date:10/01/2025
                                                                                                                                                                    Path:C:\Users\user\Desktop\C5Zr4LSzmp.exe
                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                    Commandline:"C:\Users\user\Desktop\C5Zr4LSzmp.exe"
                                                                                                                                                                    Imagebase:0x160000
                                                                                                                                                                    File size:872'448 bytes
                                                                                                                                                                    MD5 hash:1CD6AFE88BA532CA70C927D90314EAC8
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Yara matches:
                                                                                                                                                                    • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.3154713841.00000000037F7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.3154713841.0000000003641000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Has exited:false

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:4
                                                                                                                                                                    Start time:17:05:21
                                                                                                                                                                    Start date:10/01/2025
                                                                                                                                                                    Path:C:\Users\user\Desktop\C5Zr4LSzmp.exe
                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                    Commandline:"C:\Users\user\Desktop\C5Zr4LSzmp.exe"
                                                                                                                                                                    Imagebase:0xcc0000
                                                                                                                                                                    File size:872'448 bytes
                                                                                                                                                                    MD5 hash:1CD6AFE88BA532CA70C927D90314EAC8
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Yara matches:
                                                                                                                                                                    • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000004.00000002.3150994425.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Has exited:false

                                                                                                                                                                    Disassembly

                                                                                                                                                                    Reset < >

                                                                                                                                                                      Execution Graph

                                                                                                                                                                      Execution Coverage:7.8%
                                                                                                                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                      Signature Coverage:2.8%
                                                                                                                                                                      Total number of Nodes:178
                                                                                                                                                                      Total number of Limit Nodes:7
                                                                                                                                                                      execution_graph 50888 c0d580 50889 c0d5c6 GetCurrentProcess 50888->50889 50891 c0d611 50889->50891 50892 c0d618 GetCurrentThread 50889->50892 50891->50892 50893 c0d655 GetCurrentProcess 50892->50893 50894 c0d64e 50892->50894 50895 c0d68b 50893->50895 50894->50893 50896 c0d6b3 GetCurrentThreadId 50895->50896 50897 c0d6e4 50896->50897 50898 6fc7ea8 50899 6fc8033 50898->50899 50900 6fc7ece 50898->50900 50900->50899 50902 6fc2604 50900->50902 50903 6fc8128 PostMessageW 50902->50903 50904 6fc8194 50903->50904 50904->50900 50913 577d480 CloseHandle 50914 577d4e7 50913->50914 50683 c0d7c8 DuplicateHandle 50684 c0d85e 50683->50684 50685 c04668 50686 c0467a 50685->50686 50687 c04686 50686->50687 50689 c04778 50686->50689 50690 c0479d 50689->50690 50694 c04888 50690->50694 50698 c04878 50690->50698 50695 c048af 50694->50695 50696 c0498c 50695->50696 50702 c044b4 50695->50702 50700 c048af 50698->50700 50699 c0498c 50699->50699 50700->50699 50701 c044b4 CreateActCtxA 50700->50701 50701->50699 50703 c05918 CreateActCtxA 50702->50703 50705 c059db 50703->50705 50905 c0b218 50906 c0b227 50905->50906 50908 c0b300 50905->50908 50909 c0b344 50908->50909 50910 c0b321 50908->50910 50909->50906 50910->50909 50911 c0b548 GetModuleHandleW 50910->50911 50912 c0b575 50911->50912 50912->50906 50706 6fc64d5 50707 6fc64db 50706->50707 50711 6fc6aa8 12 API calls 50707->50711 50714 6fc6ab8 50707->50714 50708 6fc611b 50709 6fc610c 50709->50708 50712 6fc6ab8 12 API calls 50709->50712 50719 6fc6aa8 50709->50719 50711->50709 50712->50709 50715 6fc6acd 50714->50715 50724 6fc6b5e 50715->50724 50743 6fc6ae8 50715->50743 50716 6fc6adf 50716->50709 50720 6fc6acd 50719->50720 50722 6fc6b5e 12 API calls 50720->50722 50723 6fc6ae8 12 API calls 50720->50723 50721 6fc6adf 50721->50709 50722->50721 50723->50721 50725 6fc6aec 50724->50725 50726 6fc6b61 50724->50726 50728 6fc6b1a 50725->50728 50761 6fc6efc 50725->50761 50765 6fc7063 50725->50765 50769 6fc6ee0 50725->50769 50774 6fc7146 50725->50774 50779 6fc75e5 50725->50779 50783 6fc70e5 50725->50783 50788 6fc75ab 50725->50788 50792 6fc73cc 50725->50792 50797 6fc71d4 50725->50797 50801 6fc799b 50725->50801 50806 6fc72da 50725->50806 50810 6fc71ba 50725->50810 50820 6fc7898 50725->50820 50827 6fc74b8 50725->50827 50832 6fc7258 50725->50832 50728->50716 50744 6fc6aec 50743->50744 50745 6fc6efc 2 API calls 50744->50745 50746 6fc6b1a 50744->50746 50747 6fc7258 2 API calls 50744->50747 50748 6fc74b8 2 API calls 50744->50748 50749 6fc7898 2 API calls 50744->50749 50750 6fc71ba 4 API calls 50744->50750 50751 6fc72da 2 API calls 50744->50751 50752 6fc799b 2 API calls 50744->50752 50753 6fc71d4 2 API calls 50744->50753 50754 6fc73cc 2 API calls 50744->50754 50755 6fc75ab 2 API calls 50744->50755 50756 6fc70e5 2 API calls 50744->50756 50757 6fc75e5 2 API calls 50744->50757 50758 6fc7146 2 API calls 50744->50758 50759 6fc6ee0 2 API calls 50744->50759 50760 6fc7063 2 API calls 50744->50760 50745->50746 50746->50716 50747->50746 50748->50746 50749->50746 50750->50746 50751->50746 50752->50746 50753->50746 50754->50746 50755->50746 50756->50746 50757->50746 50758->50746 50759->50746 50760->50746 50836 6fc5ce4 50761->50836 50840 6fc5cf0 50761->50840 50766 6fc7069 50765->50766 50844 6fc5b50 50766->50844 50848 6fc5b58 50766->50848 50770 6fc6ee9 50769->50770 50771 6fc6f38 50770->50771 50772 6fc5ce4 CreateProcessA 50770->50772 50773 6fc5cf0 CreateProcessA 50770->50773 50771->50728 50772->50771 50773->50771 50775 6fc714a 50774->50775 50852 6fc58c8 50775->50852 50856 6fc58d0 50775->50856 50776 6fc7165 50776->50728 50860 6fc59a8 50779->50860 50864 6fc59a0 50779->50864 50780 6fc6f60 50780->50728 50784 6fc70eb 50783->50784 50868 6fc5818 50784->50868 50872 6fc5820 50784->50872 50785 6fc7118 50789 6fc708f 50788->50789 50790 6fc5b58 ReadProcessMemory 50789->50790 50791 6fc5b50 ReadProcessMemory 50789->50791 50790->50789 50791->50789 50793 6fc73d2 50792->50793 50876 6fc5a68 50793->50876 50880 6fc5a60 50793->50880 50794 6fc782a 50799 6fc5a68 WriteProcessMemory 50797->50799 50800 6fc5a60 WriteProcessMemory 50797->50800 50798 6fc7137 50798->50728 50799->50798 50800->50798 50802 6fc6ee9 50801->50802 50803 6fc6f38 50802->50803 50804 6fc5ce4 CreateProcessA 50802->50804 50805 6fc5cf0 CreateProcessA 50802->50805 50803->50728 50804->50803 50805->50803 50808 6fc58c8 Wow64SetThreadContext 50806->50808 50809 6fc58d0 Wow64SetThreadContext 50806->50809 50807 6fc72f4 50808->50807 50809->50807 50811 6fc71c0 50810->50811 50812 6fc714a 50811->50812 50815 6fc7103 50811->50815 50814 6fc7118 50812->50814 50818 6fc58c8 Wow64SetThreadContext 50812->50818 50819 6fc58d0 Wow64SetThreadContext 50812->50819 50813 6fc7165 50813->50728 50814->50728 50815->50814 50816 6fc5818 ResumeThread 50815->50816 50817 6fc5820 ResumeThread 50815->50817 50816->50814 50817->50814 50818->50813 50819->50813 50821 6fc789e 50820->50821 50822 6fc789f 50821->50822 50823 6fc5b58 ReadProcessMemory 50821->50823 50824 6fc5b50 ReadProcessMemory 50821->50824 50825 6fc5b58 ReadProcessMemory 50822->50825 50826 6fc5b50 ReadProcessMemory 50822->50826 50823->50822 50824->50822 50825->50822 50826->50822 50828 6fc73d3 50827->50828 50828->50827 50830 6fc5a68 WriteProcessMemory 50828->50830 50831 6fc5a60 WriteProcessMemory 50828->50831 50829 6fc782a 50830->50829 50831->50829 50834 6fc5a68 WriteProcessMemory 50832->50834 50835 6fc5a60 WriteProcessMemory 50832->50835 50833 6fc7289 50834->50833 50835->50833 50837 6fc5cf0 CreateProcessA 50836->50837 50839 6fc5f3b 50837->50839 50839->50839 50841 6fc5d79 CreateProcessA 50840->50841 50843 6fc5f3b 50841->50843 50845 6fc5b58 ReadProcessMemory 50844->50845 50847 6fc5be7 50845->50847 50847->50766 50849 6fc5ba3 ReadProcessMemory 50848->50849 50851 6fc5be7 50849->50851 50851->50766 50853 6fc58d1 Wow64SetThreadContext 50852->50853 50855 6fc595d 50853->50855 50855->50776 50857 6fc5915 Wow64SetThreadContext 50856->50857 50859 6fc595d 50857->50859 50859->50776 50861 6fc59e8 VirtualAllocEx 50860->50861 50863 6fc5a25 50861->50863 50863->50780 50865 6fc59a8 VirtualAllocEx 50864->50865 50867 6fc5a25 50865->50867 50867->50780 50869 6fc5820 ResumeThread 50868->50869 50871 6fc5891 50869->50871 50871->50785 50873 6fc5860 ResumeThread 50872->50873 50875 6fc5891 50873->50875 50875->50785 50877 6fc5ab0 WriteProcessMemory 50876->50877 50879 6fc5b07 50877->50879 50879->50794 50881 6fc5a68 WriteProcessMemory 50880->50881 50883 6fc5b07 50881->50883 50883->50794 50884 577efc8 50885 577f016 DrawTextExW 50884->50885 50887 577f06e 50885->50887

                                                                                                                                                                      Executed Functions

                                                                                                                                                                      Function 089C4117 Relevance: 7.6, Strings: 4, Instructions: 2601COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3161442132.00000000089C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089C0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_89c0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: (oq$4'q$4'q$4'q
                                                                                                                                                                      • API String ID: 0-2528434116
                                                                                                                                                                      • Opcode ID: 95603bab88990e988b60155aa3d200d3676a66c972cfb35061e80982b1959178
                                                                                                                                                                      • Instruction ID: b1ebbf16315fab34a65a376acdbccc661d9b79808e7a9a76d8f92b0b5265b5ba
                                                                                                                                                                      • Opcode Fuzzy Hash: 95603bab88990e988b60155aa3d200d3676a66c972cfb35061e80982b1959178
                                                                                                                                                                      • Instruction Fuzzy Hash: 1443FA74A00219CFDB25EF68C888A9DB7B6BF89311F15859DD409AB361CB31ED82CF45
                                                                                                                                                                      Function 089C3668 Relevance: 7.0, Strings: 5, Instructions: 722COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3161442132.00000000089C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089C0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_89c0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: (oq$(oq$,q$,q$Hq
                                                                                                                                                                      • API String ID: 0-962059274
                                                                                                                                                                      • Opcode ID: e88af94538fefe2d5f55dc66f7820973dca7ea4adedd1c35ae4f0e28abc49b5f
                                                                                                                                                                      • Instruction ID: 273b6431b407d74a990a84a58e7afc575252c7798e2216493ecbf994b2fa35fb
                                                                                                                                                                      • Opcode Fuzzy Hash: e88af94538fefe2d5f55dc66f7820973dca7ea4adedd1c35ae4f0e28abc49b5f
                                                                                                                                                                      • Instruction Fuzzy Hash: F1528F34A00215DFDB18EF69C484AADBBB6BF88715B15C16DE806DB361CB32EC41DB91
                                                                                                                                                                      Function 00C03E34 Relevance: 2.7, Strings: 2, Instructions: 196COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 1573 c03e34-c06fc2 1576 c06fc4 1573->1576 1577 c06fc9-c07153 call c05c74 call c05c84 call c05c94 call c05ca4 call c001f8 * 4 1573->1577 1576->1577 1609 c07160-c07247 1577->1609 1610 c07155-c0715b 1577->1610 1623 c0724f 1609->1623 1611 c07252-c0725f 1610->1611 1623->1611
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3152033288.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_c00000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: `Yl$t^l
                                                                                                                                                                      • API String ID: 0-739893149
                                                                                                                                                                      • Opcode ID: 2095618634f86e1b7d7cde5d080c608f5523aeb1305d333389642feeb4e83af7
                                                                                                                                                                      • Instruction ID: 1a5bf75d457240cac472e88c7445532e7b0a555b9add3a8f319473f6e26eeefd
                                                                                                                                                                      • Opcode Fuzzy Hash: 2095618634f86e1b7d7cde5d080c608f5523aeb1305d333389642feeb4e83af7
                                                                                                                                                                      • Instruction Fuzzy Hash: E081B574E003089FDF19DFA5D855AAEBBB2BF88300F248129E415BB369DB759941CF50
                                                                                                                                                                      Function 00C06F90 Relevance: 2.6, Strings: 2, Instructions: 142COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 1698 c06f90-c06fc2 1699 c06fc4 1698->1699 1700 c06fc9-c0701f call c05c74 call c05c84 1698->1700 1699->1700 1708 c0702a-c0704d call c05c94 call c05ca4 1700->1708 1712 c07052-c07153 call c001f8 * 4 1708->1712 1732 c07160-c0722e 1712->1732 1733 c07155-c0715b 1712->1733 1745 c07238-c07247 1732->1745 1734 c07252-c0725f 1733->1734 1746 c0724f 1745->1746 1746->1734
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3152033288.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_c00000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: `Yl$t^l
                                                                                                                                                                      • API String ID: 0-739893149
                                                                                                                                                                      • Opcode ID: 57df74bc69b724af2dfb766adbcf10e62e6b8028e74823d18286ca3d578dbedd
                                                                                                                                                                      • Instruction ID: f2a40e169221cb5b2948cab997b9ee3690745ecac9683bbb7ac30adeb91700df
                                                                                                                                                                      • Opcode Fuzzy Hash: 57df74bc69b724af2dfb766adbcf10e62e6b8028e74823d18286ca3d578dbedd
                                                                                                                                                                      • Instruction Fuzzy Hash: 6951E874E012588FDF18DFA9D891AEEBBB2BF89300F248129D415BB365DB749942CF50
                                                                                                                                                                      Function 089C1240 Relevance: 1.9, Strings: 1, Instructions: 649COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 1764 89c1240-89c1271 1766 89c1278-89c133d 1764->1766 1767 89c1273 1764->1767 1774 89c138b-89c139c 1766->1774 1767->1766 1775 89c139e-89c1406 1774->1775 1776 89c133f-89c1377 1774->1776 1784 89c1c60-89c1c8b 1775->1784 1779 89c137e-89c1388 1776->1779 1780 89c1379 1776->1780 1779->1774 1780->1779 1786 89c1c8d-89c1cb6 1784->1786 1787 89c1cb8-89c1cba 1784->1787 1788 89c1cc0-89c1cd4 1786->1788 1787->1788 1790 89c1cda-89c1ce1 1788->1790 1791 89c140b-89c1412 1788->1791 1792 89c1464-89c149f 1791->1792 1794 89c1414-89c142a 1792->1794 1795 89c14a5-89c14ae 1792->1795 1796 89c142c 1794->1796 1797 89c1431-89c144f 1794->1797 1798 89c14b1-89c14e5 1795->1798 1796->1797 1799 89c1456-89c1461 1797->1799 1800 89c1451 1797->1800 1802 89c1504-89c152b 1798->1802 1803 89c14e7-89c1501 1798->1803 1799->1792 1800->1799 1806 89c152d-89c1556 1802->1806 1807 89c1558 1802->1807 1803->1802 1808 89c1562-89c1570 1806->1808 1807->1808 1810 89c1576-89c157d 1808->1810 1811 89c1660-89c170d 1808->1811 1812 89c1643-89c1654 1810->1812 1835 89c170f 1811->1835 1836 89c1713-89c1715 1811->1836 1814 89c165a-89c165b 1812->1814 1815 89c1582-89c1598 1812->1815 1818 89c1c07-89c1c42 1814->1818 1816 89c159f-89c15fd 1815->1816 1817 89c159a 1815->1817 1828 89c15ff 1816->1828 1829 89c1604-89c1629 1816->1829 1817->1816 1818->1798 1823 89c1c48-89c1c5f 1818->1823 1823->1784 1828->1829 1833 89c163f-89c1640 1829->1833 1834 89c162b-89c1637 1829->1834 1833->1812 1834->1833 1837 89c1717 1835->1837 1838 89c1711 1835->1838 1839 89c171c-89c1723 1836->1839 1837->1839 1838->1836 1840 89c1725-89c172e 1839->1840 1841 89c1731-89c1762 1839->1841 1840->1841 1843 89c17b5-89c17f0 1841->1843 1845 89c1764-89c1779 1843->1845 1846 89c17f6-89c1809 1843->1846 1847 89c177b 1845->1847 1848 89c1780-89c179e 1845->1848 1850 89c180b-89c19b2 1846->1850 1851 89c1811-89c1831 1846->1851 1847->1848 1852 89c17a5-89c17b2 1848->1852 1853 89c17a0 1848->1853 1856 89c19ba-89c1a59 1850->1856 1857 89c19b4-89c19b5 1850->1857 1859 89c183a-89c18fd 1851->1859 1852->1843 1853->1852 1877 89c1a5b 1856->1877 1878 89c1a60-89c1a92 1856->1878 1858 89c1bc2-89c1bef 1857->1858 1862 89c1c06 1858->1862 1863 89c1bf1-89c1c05 1858->1863 1875 89c18ff 1859->1875 1876 89c1904-89c1917 1859->1876 1862->1818 1863->1862 1875->1876 1879 89c191e-89c192b 1876->1879 1880 89c1919 1876->1880 1877->1878 1884 89c1a99-89c1acb 1878->1884 1885 89c1a94 1878->1885 1881 89c192d 1879->1881 1882 89c1932-89c1956 1879->1882 1880->1879 1881->1882 1888 89c195d-89c1977 1882->1888 1889 89c1958 1882->1889 1890 89c1acd 1884->1890 1891 89c1ad2-89c1b2f 1884->1891 1885->1884 1892 89c1979-89c1998 1888->1892 1893 89c19a2-89c19a3 1888->1893 1889->1888 1890->1891 1898 89c1b81-89c1ba3 1891->1898 1899 89c1b31-89c1b7b 1891->1899 1894 89c199f 1892->1894 1895 89c199a 1892->1895 1893->1858 1894->1893 1895->1894 1903 89c1bad-89c1bc0 1898->1903 1899->1898 1903->1858
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3161442132.00000000089C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089C0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_89c0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: d
                                                                                                                                                                      • API String ID: 0-2564639436
                                                                                                                                                                      • Opcode ID: ae70f3fe106e7f9d1fbf693e88ac6a0ed4ca4938aedaa0d7e3e1a81246a71cd5
                                                                                                                                                                      • Instruction ID: 369219990302e3831b1be2ff0482f38213e01248b328105c2331f2b7000e025d
                                                                                                                                                                      • Opcode Fuzzy Hash: ae70f3fe106e7f9d1fbf693e88ac6a0ed4ca4938aedaa0d7e3e1a81246a71cd5
                                                                                                                                                                      • Instruction Fuzzy Hash: 2562ED74E01228CFDB64DF68C884BEEBBB2BB89301F1085E9D449A7255DB319E85CF45
                                                                                                                                                                      Function 06FC88FD Relevance: .6, Instructions: 620COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3160626778.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6fc0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: f6a586266934c0fc6fdac80330b99bdb3102563b8b023dd3dfa2a86d7ceb948a
                                                                                                                                                                      • Instruction ID: b814dcc659d1ff501d5a092b41ac72a7b038400c24f1de7c97554cf36d3f9f24
                                                                                                                                                                      • Opcode Fuzzy Hash: f6a586266934c0fc6fdac80330b99bdb3102563b8b023dd3dfa2a86d7ceb948a
                                                                                                                                                                      • Instruction Fuzzy Hash: FD32CA71B016058FDB59EB69CA50BAEBBF6AF88350F10846DE1169B3E1CB31ED01CB51
                                                                                                                                                                      Function 06FC6EE0 Relevance: .1, Instructions: 98COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3160626778.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6fc0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 1a9c0cee789b1a32f93b539a3a3d0b01a480b3749b9d144ee36bda83e3f8fb33
                                                                                                                                                                      • Instruction ID: ec60e1073c03bc8868fc70b8871358118526d85e8d1c6ece82f4429327396001
                                                                                                                                                                      • Opcode Fuzzy Hash: 1a9c0cee789b1a32f93b539a3a3d0b01a480b3749b9d144ee36bda83e3f8fb33
                                                                                                                                                                      • Instruction Fuzzy Hash: 01413975E09229CFEBA0DF54CA45BECB7B9BB49320F1050D9D549A7281D7709AC1CF50
                                                                                                                                                                      Function 00C0D570 Relevance: 6.1, APIs: 4, Instructions: 135threadCOMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 1298 c0d570-c0d60f GetCurrentProcess 1303 c0d611-c0d617 1298->1303 1304 c0d618-c0d64c GetCurrentThread 1298->1304 1303->1304 1305 c0d655-c0d689 GetCurrentProcess 1304->1305 1306 c0d64e-c0d654 1304->1306 1308 c0d692-c0d6ad call c0d75a 1305->1308 1309 c0d68b-c0d691 1305->1309 1306->1305 1312 c0d6b3-c0d6e2 GetCurrentThreadId 1308->1312 1309->1308 1313 c0d6e4-c0d6ea 1312->1313 1314 c0d6eb-c0d74d 1312->1314 1313->1314
                                                                                                                                                                      APIs
                                                                                                                                                                      • GetCurrentProcess.KERNEL32 ref: 00C0D5FE
                                                                                                                                                                      • GetCurrentThread.KERNEL32 ref: 00C0D63B
                                                                                                                                                                      • GetCurrentProcess.KERNEL32 ref: 00C0D678
                                                                                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 00C0D6D1
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3152033288.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_c00000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Current$ProcessThread
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2063062207-0
                                                                                                                                                                      • Opcode ID: 08aedeec2a09fed322c079dd4f7233d4b7ab8e5b7d0ee18df7ebaac428379a1d
                                                                                                                                                                      • Instruction ID: 84923c30a5ff719001a8d1b578e21125faf7264b4bfacfc3d88e7a5d929d9bb8
                                                                                                                                                                      • Opcode Fuzzy Hash: 08aedeec2a09fed322c079dd4f7233d4b7ab8e5b7d0ee18df7ebaac428379a1d
                                                                                                                                                                      • Instruction Fuzzy Hash: 885198B09003498FEB14CFA9C548BEEBBF0FF48304F248459E119A72A0DB75A944CF69
                                                                                                                                                                      Function 00C0D580 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 1321 c0d580-c0d60f GetCurrentProcess 1325 c0d611-c0d617 1321->1325 1326 c0d618-c0d64c GetCurrentThread 1321->1326 1325->1326 1327 c0d655-c0d689 GetCurrentProcess 1326->1327 1328 c0d64e-c0d654 1326->1328 1330 c0d692-c0d6ad call c0d75a 1327->1330 1331 c0d68b-c0d691 1327->1331 1328->1327 1334 c0d6b3-c0d6e2 GetCurrentThreadId 1330->1334 1331->1330 1335 c0d6e4-c0d6ea 1334->1335 1336 c0d6eb-c0d74d 1334->1336 1335->1336
                                                                                                                                                                      APIs
                                                                                                                                                                      • GetCurrentProcess.KERNEL32 ref: 00C0D5FE
                                                                                                                                                                      • GetCurrentThread.KERNEL32 ref: 00C0D63B
                                                                                                                                                                      • GetCurrentProcess.KERNEL32 ref: 00C0D678
                                                                                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 00C0D6D1
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3152033288.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_c00000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Current$ProcessThread
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2063062207-0
                                                                                                                                                                      • Opcode ID: c20a8d4520bdef3ccbb179f123f559f3e24cdd2a6de6c41af6015c71b7371f80
                                                                                                                                                                      • Instruction ID: 7bb6a89c109c509e5e27888f7cd4108b9f54b2ae7507987be0085785f9e5c530
                                                                                                                                                                      • Opcode Fuzzy Hash: c20a8d4520bdef3ccbb179f123f559f3e24cdd2a6de6c41af6015c71b7371f80
                                                                                                                                                                      • Instruction Fuzzy Hash: 895168B09003498FDB54CFA9C548BEEBBF1FF48304F248559E119A72A0DB75A944CF69
                                                                                                                                                                      Function 06BD9250 Relevance: 3.8, Strings: 3, Instructions: 99COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 1440 6bd9250-6bd9276 1441 6bd9333-6bd9342 1440->1441 1443 6bd934d-6bd93ae 1441->1443 1458 6bd932a 1443->1458 1460 6bd9287-6bd9331 1458->1460 1461 6bd9280 1458->1461 1460->1458 1461->1441 1461->1460 1462 6bd9315-6bd9329 1461->1462 1463 6bd92b7-6bd92d5 1461->1463 1468 6bd92dc-6bd92e9 1463->1468 1469 6bd92d7-6bd92da 1463->1469 1470 6bd92eb-6bd92fa 1468->1470 1469->1470 1473 6bd92fc-6bd9302 1470->1473 1474 6bd9312 1470->1474 1475 6bd9304 1473->1475 1476 6bd9306-6bd9308 1473->1476 1474->1462 1475->1474 1476->1474
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3159870062.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6bd0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: 8q$8q$8q
                                                                                                                                                                      • API String ID: 0-3169173723
                                                                                                                                                                      • Opcode ID: 106c1cb911a79ab45ec9a4c2b5b632382422142338066fa85acef00a07de9163
                                                                                                                                                                      • Instruction ID: 7e37d4fd90b5dab4609e2289bb62483c5ab58050075f965fe6855200e0b4af62
                                                                                                                                                                      • Opcode Fuzzy Hash: 106c1cb911a79ab45ec9a4c2b5b632382422142338066fa85acef00a07de9163
                                                                                                                                                                      • Instruction Fuzzy Hash: B231B8F4E04209DFE794BA94C45567E7776EBC8324F104496D50BAF384FA318D0287E6
                                                                                                                                                                      Function 06BD839F Relevance: 3.8, Strings: 3, Instructions: 39COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 1500 6bd839f-6bd83d7 1502 6bd83e0-6bd83e2 1500->1502 1503 6bd83fa-6bd8417 1502->1503 1504 6bd83e4-6bd83ea 1502->1504 1508 6bd841d-6bd8513 1503->1508 1509 6bd8582-6bd8587 1503->1509 1505 6bd83ec 1504->1505 1506 6bd83ee-6bd83f0 1504->1506 1505->1503 1506->1503
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3159870062.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6bd0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: 8$$q$$q
                                                                                                                                                                      • API String ID: 0-3275118826
                                                                                                                                                                      • Opcode ID: 254166e43e0ddb21fcc5c58f9dcc2b2cdb8bd746c17a0a4c914220eabecf1453
                                                                                                                                                                      • Instruction ID: 403aec4b38590a0bfe918dec4765f952de76613ffff729f7e4eea21ddaeaf1f3
                                                                                                                                                                      • Opcode Fuzzy Hash: 254166e43e0ddb21fcc5c58f9dcc2b2cdb8bd746c17a0a4c914220eabecf1453
                                                                                                                                                                      • Instruction Fuzzy Hash: 3D01D6B0B40245DFF7B45B24DC267A97272AB40725F1848D6A9069F681FAB48950C791
                                                                                                                                                                      Function 06BD2AD8 Relevance: 2.7, Strings: 2, Instructions: 216COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 1512 6bd2ad8-6bd2ae7 1513 6bd2aef-6bd2af1 1512->1513 1514 6bd2b0b-6bd2b78 call 6bd20d8 1513->1514 1515 6bd2af3-6bd2b08 1513->1515 1525 6bd2b7e-6bd2b80 1514->1525 1526 6bd2c24-6bd2c3b 1514->1526 1527 6bd2b86-6bd2b91 call 6bd22f0 1525->1527 1528 6bd2cb0-6bd2d57 1525->1528 1539 6bd2c3d-6bd2c3f 1526->1539 1540 6bd2c41 1526->1540 1534 6bd2bae-6bd2bb2 1527->1534 1535 6bd2b93-6bd2b95 1527->1535 1564 6bd2d59-6bd2d5f 1528->1564 1565 6bd2d60-6bd2d81 1528->1565 1536 6bd2bb4-6bd2bc8 call 6bd2418 1534->1536 1537 6bd2c11-6bd2c1a 1534->1537 1541 6bd2b97-6bd2b9e 1535->1541 1542 6bd2ba0-6bd2bab call 6bd16cc 1535->1542 1551 6bd2bde-6bd2be2 1536->1551 1552 6bd2bca-6bd2bdb call 6bd16cc 1536->1552 1545 6bd2c46-6bd2c48 1539->1545 1540->1545 1541->1534 1542->1534 1549 6bd2c7d-6bd2ca9 1545->1549 1550 6bd2c4a-6bd2c76 1545->1550 1549->1528 1550->1549 1556 6bd2bea-6bd2c03 1551->1556 1557 6bd2be4 1551->1557 1552->1551 1566 6bd2c0e 1556->1566 1567 6bd2c05 1556->1567 1557->1556 1564->1565 1566->1537 1567->1566
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3159870062.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6bd0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: (q$Hq
                                                                                                                                                                      • API String ID: 0-1154169777
                                                                                                                                                                      • Opcode ID: 80ca47147037d5a4dac23b968877bbfef221cac8d6ac16b1202cca9f3385ad05
                                                                                                                                                                      • Instruction ID: 715d59acc46d73310bb07abc2c87fab09f9bb0e0d887f7cad4a2ebcfb385b8ea
                                                                                                                                                                      • Opcode Fuzzy Hash: 80ca47147037d5a4dac23b968877bbfef221cac8d6ac16b1202cca9f3385ad05
                                                                                                                                                                      • Instruction Fuzzy Hash: 6A71B1B0A002498FDB54DF75D9047AEBBE6EBC8350F148469D505EB390EF349E41CBA5
                                                                                                                                                                      Function 06BD77C8 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 1624 6bd77c8-6bd7864 1659 6bd7867 call 6fc7c9f 1624->1659 1660 6bd7867 call 6bd7a46 1624->1660 1633 6bd786d-6bd78c3 call 6bd74a0 1642 6bd78c5 1633->1642 1643 6bd78c7-6bd78d3 1633->1643 1644 6bd78d5-6bd7a36 1642->1644 1643->1644 1659->1633 1660->1633
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3159870062.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6bd0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: %*&/)(#$^@!~-_$0,Hq
                                                                                                                                                                      • API String ID: 0-2843808400
                                                                                                                                                                      • Opcode ID: 2feb665aab285d94a5da50182060ab3147bb8cd68302edba88617c9e40b36cfd
                                                                                                                                                                      • Instruction ID: ff4dfdefda5cb58b937950a2a357820ddca15e1de79a08052234ec4632c1bf3e
                                                                                                                                                                      • Opcode Fuzzy Hash: 2feb665aab285d94a5da50182060ab3147bb8cd68302edba88617c9e40b36cfd
                                                                                                                                                                      • Instruction Fuzzy Hash: AF619474B002189FD700AB64D455BAEBBB2FF88300F5485A9D9859F386DF71AE46C7C1
                                                                                                                                                                      Function 06BDED78 Relevance: 2.7, Strings: 2, Instructions: 162COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 1661 6bded78-6bded9b 1662 6bded9d 1661->1662 1663 6bdeda2-6bdef68 1661->1663 1662->1663 1678 6bdef84-6bdef85 1663->1678 1680 6bdef6a-6bdef7e 1678->1680 1681 6bdeea3-6bdeeba call 6bded20 1678->1681 1680->1678 1685 6bdeec0-6bdeec6 1681->1685 1686 6bdede2-6bdede7 1681->1686 1685->1686 1687 6bdede9-6bdedea 1686->1687 1688 6bdee16-6bdee86 1686->1688 1687->1688 1694 6bdee88 call 6fc00fe 1688->1694 1695 6bdee88 call 6fc04d4 1688->1695 1696 6bdee88 call 6fc0006 1688->1696 1697 6bdee88 call 6fc0040 1688->1697 1693 6bdee8e-6bdee98 1694->1693 1695->1693 1696->1693 1697->1693
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3159870062.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6bd0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: Teq$Teq
                                                                                                                                                                      • API String ID: 0-2938103587
                                                                                                                                                                      • Opcode ID: bdd5666712070a1c9fe6fe87cc01a515a9ef4f2101e0f049198303430f5a7fd9
                                                                                                                                                                      • Instruction ID: 0d1d99c74acc747a22a55e651b65b2a7d8f77506aaf52fde667ceba160dfa1f3
                                                                                                                                                                      • Opcode Fuzzy Hash: bdd5666712070a1c9fe6fe87cc01a515a9ef4f2101e0f049198303430f5a7fd9
                                                                                                                                                                      • Instruction Fuzzy Hash: AC51C3B4E04208CFDB44DFEAD484AADBBB6FF89300F109069E519AF355EB349946CB50
                                                                                                                                                                      Function 06BD82D0 Relevance: 2.5, Strings: 2, Instructions: 45COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 1747 6bd82d0-6bd8335 call 6bd839f 1751 6bd833b-6bd833d 1747->1751 1755 6bd82fc-6bd830b 1751->1755 1756 6bd82e6-6bd82ec 1751->1756 1759 6bd830d-6bd831a 1755->1759 1760 6bd833f-6bd8357 1755->1760 1757 6bd82ee 1756->1757 1758 6bd82f0-6bd82f2 1756->1758 1757->1755 1758->1755 1759->1760 1761 6bd831c-6bd8332 1759->1761
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3159870062.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6bd0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: $q$$q
                                                                                                                                                                      • API String ID: 0-3126353813
                                                                                                                                                                      • Opcode ID: c11cea0a43385bc49359ca7e179cba09b86586f0982effd28b902e71b9db3183
                                                                                                                                                                      • Instruction ID: ad2e6f5b1aa9dd86bd883633f55a66ac40dd62710470f9a81ebe1c7f62e8bd72
                                                                                                                                                                      • Opcode Fuzzy Hash: c11cea0a43385bc49359ca7e179cba09b86586f0982effd28b902e71b9db3183
                                                                                                                                                                      • Instruction Fuzzy Hash: 9E01F5B090A781DFE3B59720D4106257BB5FF02256F0442EBE00ACF142E7758845C3EA
                                                                                                                                                                      Function 06FC5CE4 Relevance: 1.8, APIs: 1, Instructions: 251processCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06FC5F26
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3160626778.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6fc0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CreateProcess
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 963392458-0
                                                                                                                                                                      • Opcode ID: 90162e195291948f05c268e9c4f975c946c9f9842829cdbbb91126c074929d0e
                                                                                                                                                                      • Instruction ID: 559bd2de3f251d1b733c41cf24ca9ef8c50e7438e872a8cf339dbdf8bb9d5f8f
                                                                                                                                                                      • Opcode Fuzzy Hash: 90162e195291948f05c268e9c4f975c946c9f9842829cdbbb91126c074929d0e
                                                                                                                                                                      • Instruction Fuzzy Hash: 50A16E71D0031ADFEB64CFA8C941BEDBBB2BF44320F1485A9E849A7240DB749995CF91
                                                                                                                                                                      Function 06FC5CF0 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06FC5F26
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3160626778.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6fc0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CreateProcess
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 963392458-0
                                                                                                                                                                      • Opcode ID: 8dc6a72dcad2bada8fbe9cee7cdc1b85531323885e59c4a35beede2705f3736a
                                                                                                                                                                      • Instruction ID: 1bd7ada52b0851f2e0fd53ecbbe028279b9f1e9c4718ad7c4a66723a34334531
                                                                                                                                                                      • Opcode Fuzzy Hash: 8dc6a72dcad2bada8fbe9cee7cdc1b85531323885e59c4a35beede2705f3736a
                                                                                                                                                                      • Instruction Fuzzy Hash: A6915D71D0031ADFEB64CFA8C941BEDBBB2BF44310F1485A9E849A7240DB749995CF91
                                                                                                                                                                      Function 00C0B300 Relevance: 1.7, APIs: 1, Instructions: 205COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 00C0B566
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3152033288.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_c00000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: HandleModule
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 4139908857-0
                                                                                                                                                                      • Opcode ID: bc08c342b9c49e040417db39425d5cff1ea7dc66b7ed6a117a1a39c7b7fb6e7a
                                                                                                                                                                      • Instruction ID: e8b9c674762b523365ec81bc2ddd09ef57a1caa52e9940aec8458b5ecf45162a
                                                                                                                                                                      • Opcode Fuzzy Hash: bc08c342b9c49e040417db39425d5cff1ea7dc66b7ed6a117a1a39c7b7fb6e7a
                                                                                                                                                                      • Instruction Fuzzy Hash: 2F816770A00B058FEB24DF2AD44179ABBF1FF88300F108A2ED496C7A91DB75E945CB91
                                                                                                                                                                      Function 00C0590C Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • CreateActCtxA.KERNEL32(?), ref: 00C059C9
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3152033288.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_c00000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Create
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2289755597-0
                                                                                                                                                                      • Opcode ID: f9ddc39f8f14c13c2d4f72138143696e5932cb90dd8c4c72a2c331ad0e75829b
                                                                                                                                                                      • Instruction ID: 3b5ea9520a2798e36b15c56c108d39353e7fa2dbc7e93d394482de7d82f092ba
                                                                                                                                                                      • Opcode Fuzzy Hash: f9ddc39f8f14c13c2d4f72138143696e5932cb90dd8c4c72a2c331ad0e75829b
                                                                                                                                                                      • Instruction Fuzzy Hash: 4641D1B1D00719CFEB24DFAAC885BDEBBB5BF48304F20815AD418AB251DB759986CF50
                                                                                                                                                                      Function 00C044B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • CreateActCtxA.KERNEL32(?), ref: 00C059C9
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3152033288.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_c00000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Create
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2289755597-0
                                                                                                                                                                      • Opcode ID: 09caa6bac62c03e0e7e621112d024d53789bbf795d650a9a9290d5bc1908e808
                                                                                                                                                                      • Instruction ID: e66c3480d47fef5e4d9999b7de78679c2afed2afbe1e055d7c2bdbe831a6bf77
                                                                                                                                                                      • Opcode Fuzzy Hash: 09caa6bac62c03e0e7e621112d024d53789bbf795d650a9a9290d5bc1908e808
                                                                                                                                                                      • Instruction Fuzzy Hash: 0941D270D00719CBEB24DFAAC8847DEBBF5BF48304F20815AD418AB251DB75A946CF90
                                                                                                                                                                      Function 06FC5A60 Relevance: 1.6, APIs: 1, Instructions: 76injectionCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06FC5AF8
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3160626778.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6fc0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: MemoryProcessWrite
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3559483778-0
                                                                                                                                                                      • Opcode ID: 9f898aa6cdab0bfac8647dfe83f6cbfaeed125699d6e4dde24e9767f012efab8
                                                                                                                                                                      • Instruction ID: 877ff3add712ddd5ce7ae04fcfd67c1068053053c4defa8ce6132789e8c63106
                                                                                                                                                                      • Opcode Fuzzy Hash: 9f898aa6cdab0bfac8647dfe83f6cbfaeed125699d6e4dde24e9767f012efab8
                                                                                                                                                                      • Instruction Fuzzy Hash: BB216B71D003499FDB10CFA9C881BEEBBF5FF48310F108429E959A7240C779A551CBA0
                                                                                                                                                                      Function 06FC5B50 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06FC5BD8
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3160626778.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6fc0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: MemoryProcessRead
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1726664587-0
                                                                                                                                                                      • Opcode ID: 88d8e6b0271ef4aed5b8962deacb84245a3f459c645eca15058f1d0508d8ad7b
                                                                                                                                                                      • Instruction ID: a8b58f734f1b2a5f3de091adaad28e176ff7f0c68bed4e8e9691a88d64fd7430
                                                                                                                                                                      • Opcode Fuzzy Hash: 88d8e6b0271ef4aed5b8962deacb84245a3f459c645eca15058f1d0508d8ad7b
                                                                                                                                                                      • Instruction Fuzzy Hash: 39213972C003599FDB10DFAAC845BEEBBF5FF48320F10852AE519A7250CB79A541CBA0
                                                                                                                                                                      Function 0577EFC2 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • DrawTextExW.USER32(?,?,?,?,?,?), ref: 0577F05F
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3158593886.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5770000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: DrawText
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2175133113-0
                                                                                                                                                                      • Opcode ID: 5e443c5423c1fb371a09d8d66b6ad7dc54cf0002ae360467f36cfdae9bc9d5d9
                                                                                                                                                                      • Instruction ID: 7692f99161c72c10004d1c47bbfda39c02dbf6e541fa9160c5e3e165f230b11d
                                                                                                                                                                      • Opcode Fuzzy Hash: 5e443c5423c1fb371a09d8d66b6ad7dc54cf0002ae360467f36cfdae9bc9d5d9
                                                                                                                                                                      • Instruction Fuzzy Hash: 0E31EEB59002499FDB10CF9AD984AAEFBF5FB48320F14842AE919A7310D775A944CFA0
                                                                                                                                                                      Function 06FC5A68 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06FC5AF8
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3160626778.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6fc0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: MemoryProcessWrite
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3559483778-0
                                                                                                                                                                      • Opcode ID: f7c59a606069c641712ffef2d6406d007de8488123614a85985b13aae182d34d
                                                                                                                                                                      • Instruction ID: e70b943c6ac4ed5c3cf3f1e0714c2a3cf9091d05a2b314f74e7c6d4aaa91ef7e
                                                                                                                                                                      • Opcode Fuzzy Hash: f7c59a606069c641712ffef2d6406d007de8488123614a85985b13aae182d34d
                                                                                                                                                                      • Instruction Fuzzy Hash: C2215A71D003499FDB10CFAAC981BEEBBF5FF48310F108429E919A7240C778A954CB60
                                                                                                                                                                      Function 0577EFC8 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • DrawTextExW.USER32(?,?,?,?,?,?), ref: 0577F05F
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3158593886.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5770000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: DrawText
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2175133113-0
                                                                                                                                                                      • Opcode ID: fb0e1ba679dad4f8e6268a42116e754a14dda046fbb4cc702ddd16549883b5e0
                                                                                                                                                                      • Instruction ID: efea2befdb535c4751ee31206c9d2856211d63f791abfac8ef963e55910f0ed9
                                                                                                                                                                      • Opcode Fuzzy Hash: fb0e1ba679dad4f8e6268a42116e754a14dda046fbb4cc702ddd16549883b5e0
                                                                                                                                                                      • Instruction Fuzzy Hash: 9821CCB59002499FDB10CF9AD984AAEBBF5FB48324F14842AE919A7310D775A944CFA0
                                                                                                                                                                      Function 06FC58C8 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06FC594E
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3160626778.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6fc0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ContextThreadWow64
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 983334009-0
                                                                                                                                                                      • Opcode ID: 00b772a8d73185e3961b4e7cd91a1b4bcb07bb4f05275055134fba5bde3960bf
                                                                                                                                                                      • Instruction ID: 0467c5f2f3000091ddaec756feaf93559a68e687674edb8471b32b9e955e4c9c
                                                                                                                                                                      • Opcode Fuzzy Hash: 00b772a8d73185e3961b4e7cd91a1b4bcb07bb4f05275055134fba5bde3960bf
                                                                                                                                                                      • Instruction Fuzzy Hash: 6A2168B1D003098FDB50DFAAC8857EEBBF4EF48324F14842AD559A7240CB78A945CFA4
                                                                                                                                                                      Function 00C0D7C0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00C0D84F
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3152033288.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_c00000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: DuplicateHandle
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3793708945-0
                                                                                                                                                                      • Opcode ID: ab3ed07f775896cb6bd80f9904a73fbc00981d4ef850a5e4085bdda559a204a6
                                                                                                                                                                      • Instruction ID: 19358dbc35b471ac38084b6d21e167949b160031b70e1256687eca98d261e00f
                                                                                                                                                                      • Opcode Fuzzy Hash: ab3ed07f775896cb6bd80f9904a73fbc00981d4ef850a5e4085bdda559a204a6
                                                                                                                                                                      • Instruction Fuzzy Hash: 962103B5900248AFDB10CFAAD484BDEBFF4FB48324F14801AE968A7250D374A941CFA0
                                                                                                                                                                      Function 06FC5B58 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06FC5BD8
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3160626778.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6fc0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: MemoryProcessRead
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1726664587-0
                                                                                                                                                                      • Opcode ID: dc9a0a6680b464bb1ed504643310618c3242c7eba52a217e2827a07a931d4457
                                                                                                                                                                      • Instruction ID: 5b8328ea3f4581100df437991d779bec47c230de39f2536a9c053fe0e6c48f93
                                                                                                                                                                      • Opcode Fuzzy Hash: dc9a0a6680b464bb1ed504643310618c3242c7eba52a217e2827a07a931d4457
                                                                                                                                                                      • Instruction Fuzzy Hash: 6F212871C003599FDB10CFAAC841BEEBBF5FF48320F54842AE559A7250C779A951CBA4
                                                                                                                                                                      Function 06FC58D0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06FC594E
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3160626778.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6fc0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ContextThreadWow64
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 983334009-0
                                                                                                                                                                      • Opcode ID: 96c7e40cb4a19082529fdd74db77ada73ca9f20a77a0d2a90ab26251e21b5894
                                                                                                                                                                      • Instruction ID: f96bde916031973fb21f24cd2f9bef7e1b7911dd4032e6f74051940f3a63561a
                                                                                                                                                                      • Opcode Fuzzy Hash: 96c7e40cb4a19082529fdd74db77ada73ca9f20a77a0d2a90ab26251e21b5894
                                                                                                                                                                      • Instruction Fuzzy Hash: 02213871D003098FDB10DFAAC4857EEBBF4EF48324F54842AD459A7240CB78A945CFA4
                                                                                                                                                                      Function 00C0D7C8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00C0D84F
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3152033288.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_c00000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: DuplicateHandle
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3793708945-0
                                                                                                                                                                      • Opcode ID: 6e3c795f0579f64c4e28cbe0a91df1b146b97d3dcb096682a1adf6027d66c996
                                                                                                                                                                      • Instruction ID: e7eec74dd861f455eb4f4f6c36c71e6e7f2c25b1f5b473f1707cabbdfa8c578a
                                                                                                                                                                      • Opcode Fuzzy Hash: 6e3c795f0579f64c4e28cbe0a91df1b146b97d3dcb096682a1adf6027d66c996
                                                                                                                                                                      • Instruction Fuzzy Hash: 5021E0B59002489FDB10CFAAD884ADEBBF8FB48320F14841AE918A3250D374A940CFA4
                                                                                                                                                                      Function 06FC59A0 Relevance: 1.6, APIs: 1, Instructions: 60memoryCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06FC5A16
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3160626778.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6fc0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: AllocVirtual
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 4275171209-0
                                                                                                                                                                      • Opcode ID: 9f8016534e0f9db8526d7953338667dc390091e92d752a2d0d66e008efabe464
                                                                                                                                                                      • Instruction ID: 9daa21100dd44966b6bca3eeef84d114bd04a86383f43d5407a3d4f979fe9da7
                                                                                                                                                                      • Opcode Fuzzy Hash: 9f8016534e0f9db8526d7953338667dc390091e92d752a2d0d66e008efabe464
                                                                                                                                                                      • Instruction Fuzzy Hash: EA116A729003499FDB20DFAAC845BEFBFF5EB88320F108819E415A7250CB75A540CFA1
                                                                                                                                                                      Function 06FC5818 Relevance: 1.6, APIs: 1, Instructions: 56threadCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3160626778.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6fc0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ResumeThread
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 947044025-0
                                                                                                                                                                      • Opcode ID: 864277b2489079ca3d5ecd415c0fc6d0fb173122f540b51c735fca84075d0e24
                                                                                                                                                                      • Instruction ID: 3d4a27ad04a4c865650add28239dc27ff10a51944a6b3c7cff71dd6a4b0ede1e
                                                                                                                                                                      • Opcode Fuzzy Hash: 864277b2489079ca3d5ecd415c0fc6d0fb173122f540b51c735fca84075d0e24
                                                                                                                                                                      • Instruction Fuzzy Hash: 03114971D003498BDB20DFAAC845BEEFBF5EB48324F148419D419A7240CB75A545CFA5
                                                                                                                                                                      Function 06FC59A8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06FC5A16
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3160626778.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6fc0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: AllocVirtual
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 4275171209-0
                                                                                                                                                                      • Opcode ID: 2f2e78dc3e15e446f770653e2f3f7e966f212b2a48e79ad3dabfa812733656ee
                                                                                                                                                                      • Instruction ID: f236dc3206c4beabd378d43bd5e378c49e70dddb1ba013788d2e140354216eb7
                                                                                                                                                                      • Opcode Fuzzy Hash: 2f2e78dc3e15e446f770653e2f3f7e966f212b2a48e79ad3dabfa812733656ee
                                                                                                                                                                      • Instruction Fuzzy Hash: 09112672D003499FDB20DFAAC845BEEBBF5EB88324F148819E559A7250C775A950CFA0
                                                                                                                                                                      Function 06FC5820 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3160626778.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6fc0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ResumeThread
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 947044025-0
                                                                                                                                                                      • Opcode ID: 423959dc4334ed064e5e801f5ea20bfc3164c067561642e55ad6cad75a5c826d
                                                                                                                                                                      • Instruction ID: ae9f8c79685ec31b0b26f5453b82241f54e3b40238d817111f6f844d661c5c46
                                                                                                                                                                      • Opcode Fuzzy Hash: 423959dc4334ed064e5e801f5ea20bfc3164c067561642e55ad6cad75a5c826d
                                                                                                                                                                      • Instruction Fuzzy Hash: C8113A71D003498FDB20DFAAC8457EEFBF5EB48324F148419D459A7250CB75A945CF94
                                                                                                                                                                      Function 06FC8120 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • PostMessageW.USER32(?,00000010,00000000,?), ref: 06FC8185
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3160626778.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6fc0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: MessagePost
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 410705778-0
                                                                                                                                                                      • Opcode ID: 966d84adc66a291bb114c0122c903f206a454344e250b2d5cddf321f72e46264
                                                                                                                                                                      • Instruction ID: 184d38c4e44a5be0f4bf1df1e206a8d98b7e40d81ed952ee64c78b472957c343
                                                                                                                                                                      • Opcode Fuzzy Hash: 966d84adc66a291bb114c0122c903f206a454344e250b2d5cddf321f72e46264
                                                                                                                                                                      • Instruction Fuzzy Hash: 4811D6B58003499FDB20CF9AD945BDEBFF8EB48324F148419E569A7210C375A544CFA5
                                                                                                                                                                      Function 06FC2604 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • PostMessageW.USER32(?,00000010,00000000,?), ref: 06FC8185
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3160626778.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6fc0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: MessagePost
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 410705778-0
                                                                                                                                                                      • Opcode ID: b3fcf6952dce38fc4d32321f292c7da3081c2bc60c8917628dfb03f44a3ee9f8
                                                                                                                                                                      • Instruction ID: 7dc9706e879a7bee7c6c2e34ce50871c045c1f4fd03652a5cdeacbbd0eb2c73f
                                                                                                                                                                      • Opcode Fuzzy Hash: b3fcf6952dce38fc4d32321f292c7da3081c2bc60c8917628dfb03f44a3ee9f8
                                                                                                                                                                      • Instruction Fuzzy Hash: E511F5B58003499FDB20DF9AC945BDEBFF8EB48324F108419E528A7210C375A944CFA5
                                                                                                                                                                      Function 00C0B500 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 00C0B566
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3152033288.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_c00000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: HandleModule
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 4139908857-0
                                                                                                                                                                      • Opcode ID: 15430e287fa37d864cf100f39908b8032d43784bd70481ca52c51c42cc845a35
                                                                                                                                                                      • Instruction ID: 655bc2c386b6028ba606b12d390c20cbd6671c0a2b625a935fd159511b92d8da
                                                                                                                                                                      • Opcode Fuzzy Hash: 15430e287fa37d864cf100f39908b8032d43784bd70481ca52c51c42cc845a35
                                                                                                                                                                      • Instruction Fuzzy Hash: E811E0B5D002498FDB20CF9AD844BDEFBF4EB88314F14855AD829A7250C375AA45CFA5
                                                                                                                                                                      Function 06BD2D98 Relevance: 1.5, Strings: 1, Instructions: 210COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3159870062.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6bd0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: (q
                                                                                                                                                                      • API String ID: 0-2414175341
                                                                                                                                                                      • Opcode ID: 64eb83bb133435b82cc29ef47af6b3847254a37e27203fe56030a7c2219a7f14
                                                                                                                                                                      • Instruction ID: 10562661fd71efbd6e6070e8fee025c1c0396b050abf38e4aa37825cb3c5ba0b
                                                                                                                                                                      • Opcode Fuzzy Hash: 64eb83bb133435b82cc29ef47af6b3847254a37e27203fe56030a7c2219a7f14
                                                                                                                                                                      • Instruction Fuzzy Hash: 6471F170A003459FEB649F35D844BAEB7A6EF88340F14896AE9069B2A0DF74DD41CB51
                                                                                                                                                                      Function 06BD8E68 Relevance: 1.3, Strings: 1, Instructions: 67COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3159870062.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6bd0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: $q
                                                                                                                                                                      • API String ID: 0-1301096350
                                                                                                                                                                      • Opcode ID: ea45f8fd2eddf84c9323db615a2319ecb50303767ce773135f2a85dcf0b32501
                                                                                                                                                                      • Instruction ID: 894bcd66054d520741aab974697c70ebaf001f2f86f2559203c29797c3fd9074
                                                                                                                                                                      • Opcode Fuzzy Hash: ea45f8fd2eddf84c9323db615a2319ecb50303767ce773135f2a85dcf0b32501
                                                                                                                                                                      • Instruction Fuzzy Hash: E211E9B0D2D250EFE3E1966498016767BF59B41117B1448E7D446CF186F7368801CBE6
                                                                                                                                                                      Function 0577D478 Relevance: 1.3, APIs: 1, Instructions: 50COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • CloseHandle.KERNELBASE(?), ref: 0577D4D8
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3158593886.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5770000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CloseHandle
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2962429428-0
                                                                                                                                                                      • Opcode ID: f4d676f195d21fbbd060a123e4c5c142a33bf70c1ee0c0eef7dc20461c6690e3
                                                                                                                                                                      • Instruction ID: ac8d6612de21db9a951cb1b40ec06c48b87756990ffbf0c20dc12aeacb54f44e
                                                                                                                                                                      • Opcode Fuzzy Hash: f4d676f195d21fbbd060a123e4c5c142a33bf70c1ee0c0eef7dc20461c6690e3
                                                                                                                                                                      • Instruction Fuzzy Hash: 5F1143B58002488FDB20CF9AC545BDEBBF4EF48320F108419D968A7340C338A544CFA4
                                                                                                                                                                      Function 0577D480 Relevance: 1.3, APIs: 1, Instructions: 47COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • CloseHandle.KERNELBASE(?), ref: 0577D4D8
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3158593886.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5770000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CloseHandle
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2962429428-0
                                                                                                                                                                      • Opcode ID: 7fc2f7665d57b680f46b8ccb0cdb491680f02b0e12d0c60e7b2187855252f309
                                                                                                                                                                      • Instruction ID: a6096db258dcc9f026ef3dbcf9735637e41385b9cb8428efcbe3165e3f07c69d
                                                                                                                                                                      • Opcode Fuzzy Hash: 7fc2f7665d57b680f46b8ccb0cdb491680f02b0e12d0c60e7b2187855252f309
                                                                                                                                                                      • Instruction Fuzzy Hash: BF1103B58003498FDB20DF9AD545BDEBBF4EF48320F14842AD968A7340D779A944CFA5
                                                                                                                                                                      Function 06BD7D58 Relevance: 1.3, Strings: 1, Instructions: 41COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3159870062.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6bd0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: W
                                                                                                                                                                      • API String ID: 0-655174618
                                                                                                                                                                      • Opcode ID: 3de84dfec3db179f7bfc450691079e13fcea1bb7869ffb3ee200bc88f7d5d3ae
                                                                                                                                                                      • Instruction ID: b5e9541dff7cff1a13d6a6cdeee9fc025ffdb843d6a8f70eb112e40c0011796f
                                                                                                                                                                      • Opcode Fuzzy Hash: 3de84dfec3db179f7bfc450691079e13fcea1bb7869ffb3ee200bc88f7d5d3ae
                                                                                                                                                                      • Instruction Fuzzy Hash: DF01D2B098D3848FD3919724D4046AA7FB29B82305F0880FED0454F286DB7A8446C762
                                                                                                                                                                      Function 06BD82C1 Relevance: 1.3, Strings: 1, Instructions: 37COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3159870062.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6bd0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: $q
                                                                                                                                                                      • API String ID: 0-1301096350
                                                                                                                                                                      • Opcode ID: a9c20f09a8dcf33a4e77ee5a43b52956cd74b0a5def9b8cebc92251135de4b0b
                                                                                                                                                                      • Instruction ID: f1ff8674740f9641517fd17352fdb3143eaed49c8f0d81756fbd8cb60a380db4
                                                                                                                                                                      • Opcode Fuzzy Hash: a9c20f09a8dcf33a4e77ee5a43b52956cd74b0a5def9b8cebc92251135de4b0b
                                                                                                                                                                      • Instruction Fuzzy Hash: FAF04FF1D05911DFE3B48A14E900765B7A5F705366F4482F6A80ECF601E7759880C7DA
                                                                                                                                                                      Function 06BD6D20 Relevance: 1.3, Strings: 1, Instructions: 16COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3159870062.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6bd0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: G
                                                                                                                                                                      • API String ID: 0-985283518
                                                                                                                                                                      • Opcode ID: def9110ea7a5f6fd4805b40f4d82a0fddfece17754d0c78d533b00397c361d4e
                                                                                                                                                                      • Instruction ID: 10434ca1b82872daa1af2d62f5c8b5f175282ccf3bd20d35eec1aabc99732770
                                                                                                                                                                      • Opcode Fuzzy Hash: def9110ea7a5f6fd4805b40f4d82a0fddfece17754d0c78d533b00397c361d4e
                                                                                                                                                                      • Instruction Fuzzy Hash: 87D0A7F2C0D108EBE360CE51FC056A97B6C8700314F2500E5DC0E1B681EB261E1586D2
                                                                                                                                                                      Function 06BD6D30 Relevance: 1.3, Strings: 1, Instructions: 11COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3159870062.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6bd0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: G
                                                                                                                                                                      • API String ID: 0-985283518
                                                                                                                                                                      • Opcode ID: 0d39630af9c81e068f530fbc08763498b21297dbc6328906f36dc99e5b9e2c56
                                                                                                                                                                      • Instruction ID: d3dcc7240a10688441b89f97e5c0cc6c1fdd4dd61ad53507ae10f2bb3e8f910f
                                                                                                                                                                      • Opcode Fuzzy Hash: 0d39630af9c81e068f530fbc08763498b21297dbc6328906f36dc99e5b9e2c56
                                                                                                                                                                      • Instruction Fuzzy Hash: E9C012F0448108EBE744CE80E90662CB7AC9740300F2000C4D80E4A201EB362E149A86
                                                                                                                                                                      Function 06BD3478 Relevance: .4, Instructions: 444COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3159870062.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6bd0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 4a2105e615470a9331b9bfae1e75e7b6baf5868b1bbc0d19a385412b8541d76e
                                                                                                                                                                      • Instruction ID: 74c0e63fe1139d761f3faae8ec68424ef9b4e976a3d083dbe067956492f4a1f4
                                                                                                                                                                      • Opcode Fuzzy Hash: 4a2105e615470a9331b9bfae1e75e7b6baf5868b1bbc0d19a385412b8541d76e
                                                                                                                                                                      • Instruction Fuzzy Hash: 9AD1E3F0F01506DFDB95AF64C4486AEBFF1EF46200F5544E9D442AB2A6EB31C861CB82
                                                                                                                                                                      Function 06BD0480 Relevance: .3, Instructions: 332COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3159870062.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6bd0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 3632847901e9ba205c515cbd6b64a6ae9d05bbc4cd164d6f6ebdd7bf4d688a3b
                                                                                                                                                                      • Instruction ID: 5018f26628b88ede4c4c2fc7c7f8709cf18beffa5ccb864f214ac24503207e26
                                                                                                                                                                      • Opcode Fuzzy Hash: 3632847901e9ba205c515cbd6b64a6ae9d05bbc4cd164d6f6ebdd7bf4d688a3b
                                                                                                                                                                      • Instruction Fuzzy Hash: D4F1C675D1061ACBCF10EFA8C854AEDB7B5FF48300F1096AAD549B7254EB70AA85CF90
                                                                                                                                                                      Function 06BD0471 Relevance: .3, Instructions: 304COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3159870062.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6bd0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 17862f59689131aa467fac84a35352ec2f10113dee4d73d4ed702d1ab67b884c
                                                                                                                                                                      • Instruction ID: cad5ba4f25bd07d82cbd4000edab8ab153b021e4ecd0ec3ec98bcd367e2f04dc
                                                                                                                                                                      • Opcode Fuzzy Hash: 17862f59689131aa467fac84a35352ec2f10113dee4d73d4ed702d1ab67b884c
                                                                                                                                                                      • Instruction Fuzzy Hash: 77E1D771E1061ACBCF10EFA8C8546EDB7B5FF48300F1096AAD449B7255EB70AA85CF90
                                                                                                                                                                      Function 06BD4AA1 Relevance: .2, Instructions: 229COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3159870062.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6bd0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 33f15452441987551f5be92a8371f1c043c0940b0e5c8c24c1b7f35f79a0c6a1
                                                                                                                                                                      • Instruction ID: d10c6ec34d8d67193b638d45c71bbb0e5e86c7c23065b365d1cbbce76f13b36d
                                                                                                                                                                      • Opcode Fuzzy Hash: 33f15452441987551f5be92a8371f1c043c0940b0e5c8c24c1b7f35f79a0c6a1
                                                                                                                                                                      • Instruction Fuzzy Hash: 35B1E575910619CFDB10EF68D844A9CFBB1FF49304F05C699E949BB215EB30AA89CF90
                                                                                                                                                                      Function 06BD0C38 Relevance: .1, Instructions: 147COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3159870062.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6bd0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 0e9122c4c49fb4518a57faecdcfbbf19b8443093183f07d88ab8b803b7228573
                                                                                                                                                                      • Instruction ID: 731c7bbda08fe7e3888169911a41be808db0761b1e21630ca6440ee278f48ec8
                                                                                                                                                                      • Opcode Fuzzy Hash: 0e9122c4c49fb4518a57faecdcfbbf19b8443093183f07d88ab8b803b7228573
                                                                                                                                                                      • Instruction Fuzzy Hash: 1851F974E106098FCF50EFA8C8949ADF7B5FF89210F149669D816BB315EB30E985CB90
                                                                                                                                                                      Function 06BD1800 Relevance: .1, Instructions: 132COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3159870062.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6bd0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: af3d543b05ae03fd371a7aa6aef4919aa3c2e17233de4d289672b0bdf154b216
                                                                                                                                                                      • Instruction ID: 55b465a637cf6ba3ac46a5dab431e229158aa9aa7ef0f4cd4ca730db3cdf6f0e
                                                                                                                                                                      • Opcode Fuzzy Hash: af3d543b05ae03fd371a7aa6aef4919aa3c2e17233de4d289672b0bdf154b216
                                                                                                                                                                      • Instruction Fuzzy Hash: B1419F70F01205DFEB58DF68E454A6EB7B6FF88301B1441A9E806EB391EE35D941CB91
                                                                                                                                                                      Function 06BD0E40 Relevance: .1, Instructions: 131COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3159870062.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6bd0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 0fa69928763efd4548b3a4f013ec2a68bfc76ec4fe6a63662240997b32a015ee
                                                                                                                                                                      • Instruction ID: eb1ce899259455576fd90ec56f51fc36f901325c7b788408462d5dbad6d8e0e9
                                                                                                                                                                      • Opcode Fuzzy Hash: 0fa69928763efd4548b3a4f013ec2a68bfc76ec4fe6a63662240997b32a015ee
                                                                                                                                                                      • Instruction Fuzzy Hash: 8F517535E10609DFCB00EFA8D8849EDF7B5FF89300F10859AE516AB325EB71A945CB91
                                                                                                                                                                      Function 06BD6ADF Relevance: .1, Instructions: 129COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3159870062.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6bd0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 3489e06bbe2540015da3fe9697698ad12ce39b65ba46dfc8153a45430fda2fe4
                                                                                                                                                                      • Instruction ID: 95d276d0f50006764faa6163bf0d5a48f2b3e8f0f69718f6f878231d25872cf1
                                                                                                                                                                      • Opcode Fuzzy Hash: 3489e06bbe2540015da3fe9697698ad12ce39b65ba46dfc8153a45430fda2fe4
                                                                                                                                                                      • Instruction Fuzzy Hash: 224105B4A04108DFE784DF98D45276ABBB1EB89314F18C4A9D5169F381FB3A9D42CB90
                                                                                                                                                                      Function 06BD9DFB Relevance: .1, Instructions: 123COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3159870062.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6bd0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 5a5b2ef1d2217d00b00a1e7407dd7c4b03378145b2e122880f9feeaa5e88fdab
                                                                                                                                                                      • Instruction ID: 0986018394fdb9564bfdb96a6f24eb5ea93b9daf53754f49cad2a420682d7be9
                                                                                                                                                                      • Opcode Fuzzy Hash: 5a5b2ef1d2217d00b00a1e7407dd7c4b03378145b2e122880f9feeaa5e88fdab
                                                                                                                                                                      • Instruction Fuzzy Hash: 8041B6B0E04209DFEB519FA4C890BBEB3B5EF44340F1084B6E256AF240E7799946CB52
                                                                                                                                                                      Function 06BD0C2A Relevance: .1, Instructions: 122COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3159870062.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6bd0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 2a04a4d6fa82915fbbe71ee7d2a22ae5ffe115c418b0446aa05e4d12e1557862
                                                                                                                                                                      • Instruction ID: fc108e06a57aa2331951f63b6b08b7eaa58786bc12de90a1408ef5dfa48ad923
                                                                                                                                                                      • Opcode Fuzzy Hash: 2a04a4d6fa82915fbbe71ee7d2a22ae5ffe115c418b0446aa05e4d12e1557862
                                                                                                                                                                      • Instruction Fuzzy Hash: 29412B74E106098FCF50EFA4C8845ADF7B1FF89310F1496A9D816AB315EB34E985CB90
                                                                                                                                                                      Function 06BD7A46 Relevance: .1, Instructions: 110COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3159870062.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6bd0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 91e1d39e10d246ccb49e5722da89447650aeeb055f4d97e33b9e57a09f28358f
                                                                                                                                                                      • Instruction ID: 0dda6d3aa2b49178237ca546ea365e9cbebc40473d681e1d008149ce96984692
                                                                                                                                                                      • Opcode Fuzzy Hash: 91e1d39e10d246ccb49e5722da89447650aeeb055f4d97e33b9e57a09f28358f
                                                                                                                                                                      • Instruction Fuzzy Hash: D33116B060D3948FD7015B749C692AEBFB1AB86211B1505FBD843CF292EE788D41C7E2
                                                                                                                                                                      Function 06BD1198 Relevance: .1, Instructions: 100COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3159870062.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6bd0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 13c28695c24c93eba79178c8961f19800be59c85a50f5c8242a1c27c86ad30b5
                                                                                                                                                                      • Instruction ID: 31a88d0ae484573c31ab41dc1bb95f02549db033cbd93a61d82890401faa1c38
                                                                                                                                                                      • Opcode Fuzzy Hash: 13c28695c24c93eba79178c8961f19800be59c85a50f5c8242a1c27c86ad30b5
                                                                                                                                                                      • Instruction Fuzzy Hash: C6318371E10218DFDB14AFA8D84459DB7B6FF89200F1482AAD905AB360EF719C41CB91
                                                                                                                                                                      Function 06BD17E3 Relevance: .1, Instructions: 93COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3159870062.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6bd0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 4d4a4574a4dd33be4a57fb4536ac623c3c38bf778c610036ed3693a18b731939
                                                                                                                                                                      • Instruction ID: ff185b2ca24b10c8164fee1ae56b2b6b69dcc58d9c2ef5ae4ebc4e756c5572bf
                                                                                                                                                                      • Opcode Fuzzy Hash: 4d4a4574a4dd33be4a57fb4536ac623c3c38bf778c610036ed3693a18b731939
                                                                                                                                                                      • Instruction Fuzzy Hash: D131C0B4A153059FEB55DF68D418B6E7BB6EF89301F1440AAE802DB391EF35C901CB91
                                                                                                                                                                      Function 06BD22F0 Relevance: .1, Instructions: 90COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3159870062.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6bd0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 9de0fae5304e03073ce8235f3402238cfea5d103417b71257d6396d283b16fcb
                                                                                                                                                                      • Instruction ID: 4c7a5fdb00cc1231857540ea469afa9c5cdb91ebd9a92e66d0c961e466af6826
                                                                                                                                                                      • Opcode Fuzzy Hash: 9de0fae5304e03073ce8235f3402238cfea5d103417b71257d6396d283b16fcb
                                                                                                                                                                      • Instruction Fuzzy Hash: 53316F757042409FD754DF69E480B6A73EAEFC8220F1589A9E90ACF355DB70EC418B51
                                                                                                                                                                      Function 06BD2D88 Relevance: .1, Instructions: 89COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3159870062.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6bd0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: bdacbf8a128b94b88df51201c8cf6883dd9e4022c70cda9df075a548ce6bd804
                                                                                                                                                                      • Instruction ID: d7dc11a79cc6b0576ad9a67a6d9c5d7629b4cfd76555895790b3cc199c4755ce
                                                                                                                                                                      • Opcode Fuzzy Hash: bdacbf8a128b94b88df51201c8cf6883dd9e4022c70cda9df075a548ce6bd804
                                                                                                                                                                      • Instruction Fuzzy Hash: 5031E4B0A01244EFDB50DF74C844BAEB7F2EF88300F14896AE5159B290DB75DE00CB50
                                                                                                                                                                      Function 06BDC308 Relevance: .1, Instructions: 87COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3159870062.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6bd0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 4e10ee5383897cadc1363b530ac91abb5acd687589d8d7d57dd6e3a74d829488
                                                                                                                                                                      • Instruction ID: 1126e40feef308752f0669ae8fb4cd7029815e2349718eea50347218afeafbcd
                                                                                                                                                                      • Opcode Fuzzy Hash: 4e10ee5383897cadc1363b530ac91abb5acd687589d8d7d57dd6e3a74d829488
                                                                                                                                                                      • Instruction Fuzzy Hash: 0021D8B0B08104DFE7B48A5988117797AAFFBC4720F2484A6D4075F685EBB1DC01CB96
                                                                                                                                                                      Function 06BD6568 Relevance: .1, Instructions: 84COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3159870062.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6bd0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 824cc64058a1b8481a421626c8b59628b16bdb3ea8194f337904227ea3e27b84
                                                                                                                                                                      • Instruction ID: 69de12f459b892e9e71ba49609765bd289eb7d158707bd6b9739ef2b336a217e
                                                                                                                                                                      • Opcode Fuzzy Hash: 824cc64058a1b8481a421626c8b59628b16bdb3ea8194f337904227ea3e27b84
                                                                                                                                                                      • Instruction Fuzzy Hash: 073105B4E1020D9FDB40DFA8D8406EEBBF2EB48210F1055A9D515FB254F7359A518BA0
                                                                                                                                                                      Function 06BD6B51 Relevance: .1, Instructions: 84COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3159870062.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6bd0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 5217c12f44cd207c6335f6c80a803084ab370d39f6cde5f7d0a9d2a1bcf0b4bc
                                                                                                                                                                      • Instruction ID: 086a032f2773ed5d5a402c1478c0d29137140dc77c893e66f322ceb2a3eaf830
                                                                                                                                                                      • Opcode Fuzzy Hash: 5217c12f44cd207c6335f6c80a803084ab370d39f6cde5f7d0a9d2a1bcf0b4bc
                                                                                                                                                                      • Instruction Fuzzy Hash: B631D1F0A04108CFDB84DB58D492769B7F1EB85314F18C49AD1169F382FB3A9D46CB80
                                                                                                                                                                      Function 06BD0FC0 Relevance: .1, Instructions: 81COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3159870062.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6bd0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 1dfb64d89b6bd78b8a55b1b10d567e23494f40ccf4f791276a75fe1d946918b5
                                                                                                                                                                      • Instruction ID: 0db04d3351fc8dcc101037f2715ee8b21f9c69585f4d699b04f4c13e65511d46
                                                                                                                                                                      • Opcode Fuzzy Hash: 1dfb64d89b6bd78b8a55b1b10d567e23494f40ccf4f791276a75fe1d946918b5
                                                                                                                                                                      • Instruction Fuzzy Hash: 6B314535A106099FCF04EFA8D8548DDBBB5FF89300F018699E5056B224FB71A949CB91
                                                                                                                                                                      Function 06BD6C11 Relevance: .1, Instructions: 81COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3159870062.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6bd0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 9397c6e24151407b9f23b5cc9633e90d9bae53d2049378b67672e2480ad266e6
                                                                                                                                                                      • Instruction ID: d5afd030aea8ab1660e06965a46c4053dd7c0995908fd9a273a740f527cc5603
                                                                                                                                                                      • Opcode Fuzzy Hash: 9397c6e24151407b9f23b5cc9633e90d9bae53d2049378b67672e2480ad266e6
                                                                                                                                                                      • Instruction Fuzzy Hash: E531C0F0A04108CFDB84DB98D49276AB7B1EB85314F18C4AAD1169F381F73A9D46CB80
                                                                                                                                                                      Function 06BDC4E0 Relevance: .1, Instructions: 79COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3159870062.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6bd0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 11035b6d3c7c187e81778a898cb2cff86a8b58fe753d40851e768a7af2c7cb3a
                                                                                                                                                                      • Instruction ID: 498cf3d8b28b0e0c6691d7253dd7c593771d7b9063eb94a5267a29da05b4c98c
                                                                                                                                                                      • Opcode Fuzzy Hash: 11035b6d3c7c187e81778a898cb2cff86a8b58fe753d40851e768a7af2c7cb3a
                                                                                                                                                                      • Instruction Fuzzy Hash: 57217CF1A18150DFF7C48A28C8426797F69AB49318F1442E7A616CF291E724E980CBD6
                                                                                                                                                                      Function 06BD0FD0 Relevance: .1, Instructions: 77COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3159870062.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6bd0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 99886b6d3bd13231e95e12c6dbbb553501548ffaeba8f675e2c0128411051775
                                                                                                                                                                      • Instruction ID: ac302fffa1a4adb724a54e68baf89f41d3c9eb2a6e323c969fb0e64535442c4c
                                                                                                                                                                      • Opcode Fuzzy Hash: 99886b6d3bd13231e95e12c6dbbb553501548ffaeba8f675e2c0128411051775
                                                                                                                                                                      • Instruction Fuzzy Hash: BC31FE35A10609DFCF04EFA8D894CEDBBB5FF89310F018659E5056B224FB70A989CB91
                                                                                                                                                                      Function 06BD29E0 Relevance: .1, Instructions: 76COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3159870062.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6bd0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: a0aa2692d004eb48ddd32e6d5949d940a99a38cceea50dd7c8cd9644b6c3e186
                                                                                                                                                                      • Instruction ID: ee110fccfde1eb95927cdabe2b8e4fb023e5dd28e3758c62a8d8f24282ec36a7
                                                                                                                                                                      • Opcode Fuzzy Hash: a0aa2692d004eb48ddd32e6d5949d940a99a38cceea50dd7c8cd9644b6c3e186
                                                                                                                                                                      • Instruction Fuzzy Hash: 8821AE78B00245CFEB20DBA4E948BAEB7F8FB49355F105469E619DB340EB34DA11CB91
                                                                                                                                                                      Function 009FD658 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3151659191.00000000009FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009FD000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_9fd000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: b976fb6d0e9f9c379e6c34cf37b251fee053654ab997d67b18e074758946ce8b
                                                                                                                                                                      • Instruction ID: baecc28bd0f70bec3874b2fdaa2ce9e403a899bedd4c12e3b21548ce83207ccc
                                                                                                                                                                      • Opcode Fuzzy Hash: b976fb6d0e9f9c379e6c34cf37b251fee053654ab997d67b18e074758946ce8b
                                                                                                                                                                      • Instruction Fuzzy Hash: 68213AB1501248DFDB15DF10D9C0B36BB66FB94314F20C669EA094F256C336D856CBA1
                                                                                                                                                                      Function 06BD6559 Relevance: .1, Instructions: 74COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3159870062.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6bd0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 646df50cedf04689f4eae3b47b369f78eeb7b59a15a4a3e78572dc82c790f470
                                                                                                                                                                      • Instruction ID: 8f4bf75a188360717970fe67966c0f9434c2e31b845a1fabb40979c0414da060
                                                                                                                                                                      • Opcode Fuzzy Hash: 646df50cedf04689f4eae3b47b369f78eeb7b59a15a4a3e78572dc82c790f470
                                                                                                                                                                      • Instruction Fuzzy Hash: B1212AB4E0024D9FDB40DFA8C8516EEBBF1EB48210F1095A6D501FB345F7359A41CBA1
                                                                                                                                                                      Function 06BDC1A1 Relevance: .1, Instructions: 74COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3159870062.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6bd0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 83c5b2596ec7e0a471c376494e87fdf2f67b81c251e92329747c8f538fb24960
                                                                                                                                                                      • Instruction ID: f6f67f0ff44a7184acac6827d329776d44cbfaf1cf314b79b1c68ea462278fd8
                                                                                                                                                                      • Opcode Fuzzy Hash: 83c5b2596ec7e0a471c376494e87fdf2f67b81c251e92329747c8f538fb24960
                                                                                                                                                                      • Instruction Fuzzy Hash: 1A21A1F0A0C126DFE7908ADCC490739BABDEB55358F24A0E7C5168F285F3608A04CBD6
                                                                                                                                                                      Function 00A0D1B4 Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3151722234.0000000000A0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A0D000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_a0d000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 85d00c349d6d80c26926bdcd3f7c5fa408e5a9d2e71d77ee002170894e874fb3
                                                                                                                                                                      • Instruction ID: 1bfb3d8c1039a0d2bfdf374e18d263f56e19763aa3b16f445d0a3b0938ccc6cf
                                                                                                                                                                      • Opcode Fuzzy Hash: 85d00c349d6d80c26926bdcd3f7c5fa408e5a9d2e71d77ee002170894e874fb3
                                                                                                                                                                      • Instruction Fuzzy Hash: E4210472504348EFDB05DF90E5C0B66BB65FB88314F20CAADE8094B292C776D846CA61
                                                                                                                                                                      Function 00A0D36C Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3151722234.0000000000A0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A0D000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_a0d000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 43c2ed566e6d38562ba3a9288d7408a650c37d5b713e643a0ea0b13117acef97
                                                                                                                                                                      • Instruction ID: ca5d989508001ebd178868e13993c9611be570a463a9157d61fe4ffef4d02851
                                                                                                                                                                      • Opcode Fuzzy Hash: 43c2ed566e6d38562ba3a9288d7408a650c37d5b713e643a0ea0b13117acef97
                                                                                                                                                                      • Instruction Fuzzy Hash: 1421D076504348DFDB04DF90E584B26BB65FB84314F24C66DE8094E292C376D846CA62
                                                                                                                                                                      Function 06BD02A0 Relevance: .1, Instructions: 71COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3159870062.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6bd0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: bf352fb858dc6fb8732022e7e3c3dd75b03b788cd7c42cc166e9475ccea71621
                                                                                                                                                                      • Instruction ID: 64db4f0a1e93756c4433cdd4bc1619ad38d58957e95dcd5114dd315b3b6ddabc
                                                                                                                                                                      • Opcode Fuzzy Hash: bf352fb858dc6fb8732022e7e3c3dd75b03b788cd7c42cc166e9475ccea71621
                                                                                                                                                                      • Instruction Fuzzy Hash: 2F214175E1020A8FCF44EF69C8848AEF7B9FF88300B508569D905B7311FB30A945CBA1
                                                                                                                                                                      Function 06BDC536 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3159870062.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6bd0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 0929081ecd4e774b64158ded11d083adea8d7ac28eb17db5b880209c2b2a7c76
                                                                                                                                                                      • Instruction ID: 0044d9a860d55a8d49dfb5e07a33a0fc69b5a398ed3e42e709759cb400e36455
                                                                                                                                                                      • Opcode Fuzzy Hash: 0929081ecd4e774b64158ded11d083adea8d7ac28eb17db5b880209c2b2a7c76
                                                                                                                                                                      • Instruction Fuzzy Hash: 382150F1E08511DFF7C48A68C842679BA69AB49318F1042D7A316CF290E774E990CAC6
                                                                                                                                                                      Function 06BD0290 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3159870062.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6bd0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 4945e80cb3913dfd8f7281fc5112f85a5c93b7e094cc16e9bb5451846ab8e9b1
                                                                                                                                                                      • Instruction ID: fe2df5eaf1e7f535ea390d1f6b3d4e20728a7596adaabaec8184c9af369c7cee
                                                                                                                                                                      • Opcode Fuzzy Hash: 4945e80cb3913dfd8f7281fc5112f85a5c93b7e094cc16e9bb5451846ab8e9b1
                                                                                                                                                                      • Instruction Fuzzy Hash: 19214F74B102498FCF54EF69C8948AEBBB5FF89210B4045A9D906EB351EB30A905CBA1
                                                                                                                                                                      Function 06BD038F Relevance: .1, Instructions: 67COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3159870062.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6bd0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 633581e810d21fe6fbb5945d27d74c29135fa7959b6e3c43119925eb9c6da5b5
                                                                                                                                                                      • Instruction ID: 6fcd8e8102330e56775d80bc108fec5c82a1ce5b6e941940687ed8243ae2193a
                                                                                                                                                                      • Opcode Fuzzy Hash: 633581e810d21fe6fbb5945d27d74c29135fa7959b6e3c43119925eb9c6da5b5
                                                                                                                                                                      • Instruction Fuzzy Hash: CA112B767001504BCF29BB38DC418AFBB61EFC4131B1841BED459CB392DA359C06C392
                                                                                                                                                                      Function 06BD3FC8 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3159870062.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6bd0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 906314afb951671a24f8a00599236b8014c4af0f381bbbb67d4b439ad6d448e5
                                                                                                                                                                      • Instruction ID: 0fe613fb5df6ceebd46792845dbbe59b2ef72da57dc1d9d9dc33b2f209fa8c08
                                                                                                                                                                      • Opcode Fuzzy Hash: 906314afb951671a24f8a00599236b8014c4af0f381bbbb67d4b439ad6d448e5
                                                                                                                                                                      • Instruction Fuzzy Hash: 1C11E571B083045BD7149B7DA8506AFBBFADF86560F1484BAE509CB782EE709C4683E1
                                                                                                                                                                      Function 06BD22EA Relevance: .1, Instructions: 62COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3159870062.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6bd0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 944e41572156caea269778cf54d4c4c5777a14ba116c5301247362be747a5c14
                                                                                                                                                                      • Instruction ID: 4f7d3b8bf4834862499c357d6645ddecebee993ba24beb5ebfd047bcd0c22df1
                                                                                                                                                                      • Opcode Fuzzy Hash: 944e41572156caea269778cf54d4c4c5777a14ba116c5301247362be747a5c14
                                                                                                                                                                      • Instruction Fuzzy Hash: DD11B171B002008FE754EF69E480B6A77EAEBC9310F148879E909CF345EB70A8418B61
                                                                                                                                                                      Function 06BD29D0 Relevance: .1, Instructions: 60COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3159870062.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6bd0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 62c9863cfeface640f4e2e4147a17cf4fe4ef2c3669db626cf0b0dc3aaf9dc82
                                                                                                                                                                      • Instruction ID: 7a5332d28fdd4556c3d85acf1f5ca24aa3eeb23105cdd32c335e2a8678a933fe
                                                                                                                                                                      • Opcode Fuzzy Hash: 62c9863cfeface640f4e2e4147a17cf4fe4ef2c3669db626cf0b0dc3aaf9dc82
                                                                                                                                                                      • Instruction Fuzzy Hash: 2A11BE74B00241CFEB109BA4D948BAEBBF8FB45300F109069E515DB384EF70DA01CB91
                                                                                                                                                                      Function 009FD653 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3151659191.00000000009FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009FD000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_9fd000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: c1fb4414c9536cdd5ff7d631645d03b97c41db61db63814828e66148779de983
                                                                                                                                                                      • Instruction ID: 99239b6db7c25e46a0f0091115be17a9e128b1e58cbfddfdde6aa0012ce32389
                                                                                                                                                                      • Opcode Fuzzy Hash: c1fb4414c9536cdd5ff7d631645d03b97c41db61db63814828e66148779de983
                                                                                                                                                                      • Instruction Fuzzy Hash: B611E1B6404284CFCB16DF10D5C4B26BF72FB94314F2482A9D9090F256C336D856CBA1
                                                                                                                                                                      Function 00A0D367 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3151722234.0000000000A0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A0D000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_a0d000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: a47fca32086eb944179ff56ca27c2d6481e14b1a347c3870bd5c92e07928962c
                                                                                                                                                                      • Instruction ID: ab74222be756715aec541e36582d8d7c6c6ac9b2db5a2c3c0ca2bda578bfb102
                                                                                                                                                                      • Opcode Fuzzy Hash: a47fca32086eb944179ff56ca27c2d6481e14b1a347c3870bd5c92e07928962c
                                                                                                                                                                      • Instruction Fuzzy Hash: 3B11797A5042849FDB06CF54E584B15BBA1FB84318F24C6A9D8494B696C33AE84ACB62
                                                                                                                                                                      Function 00A0D1AF Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3151722234.0000000000A0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A0D000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_a0d000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: a47fca32086eb944179ff56ca27c2d6481e14b1a347c3870bd5c92e07928962c
                                                                                                                                                                      • Instruction ID: 48363de2ca9f1cf2c1a1a8eed52ebbe00dffefdac40c4db1eeb7e3b56ff84dcd
                                                                                                                                                                      • Opcode Fuzzy Hash: a47fca32086eb944179ff56ca27c2d6481e14b1a347c3870bd5c92e07928962c
                                                                                                                                                                      • Instruction Fuzzy Hash: 4711DD76504284CFCB06CF50D5C0B55BBB1FB88318F24C6A9D8494B296C33AD80ACBA1
                                                                                                                                                                      Function 009FD76D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3151659191.00000000009FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009FD000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_9fd000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 431d545e1d2e9f65dad4b4cf6690d1314e8ea5411ab42050a2a44b1c843a5842
                                                                                                                                                                      • Instruction ID: c1506112b6e68390241fbbdcbeb88dec5042b5b7fa6ff2b319f18b885626b622
                                                                                                                                                                      • Opcode Fuzzy Hash: 431d545e1d2e9f65dad4b4cf6690d1314e8ea5411ab42050a2a44b1c843a5842
                                                                                                                                                                      • Instruction Fuzzy Hash: 9D01A7714093489AE7206A15DC84777FBDDEF41724F18C519EE094E186C378DC40CB72
                                                                                                                                                                      Function 06BD4DD0 Relevance: .0, Instructions: 42COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3159870062.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6bd0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: aa468605e5f1bdad2681f77e82adbde8aed1190fbb668b3e84b0c7750a19d8b4
                                                                                                                                                                      • Instruction ID: 1c75c10bc43fb8a6281179d3f220b70c39b4ce39925812121ebb171095f3d508
                                                                                                                                                                      • Opcode Fuzzy Hash: aa468605e5f1bdad2681f77e82adbde8aed1190fbb668b3e84b0c7750a19d8b4
                                                                                                                                                                      • Instruction Fuzzy Hash: 2E011D35600256AFDB056FA5A8548AEBBA6FB8C350B54802AFD16C3350DB765821DBA0
                                                                                                                                                                      Function 06BD2800 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3159870062.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6bd0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: c84bd4382da94168348884ea581b47c08f02a9bd05ac0f08a5c7a4cae870d068
                                                                                                                                                                      • Instruction ID: 06622d4f6e623c2da6ba0c35cf663e279db7e95de15b8c389f3631713a004335
                                                                                                                                                                      • Opcode Fuzzy Hash: c84bd4382da94168348884ea581b47c08f02a9bd05ac0f08a5c7a4cae870d068
                                                                                                                                                                      • Instruction Fuzzy Hash: 6EF096367002009BD3149F65E448B9A7BA5EBD5721F10C03AE549C7381DE31C846C7A0
                                                                                                                                                                      Function 06BD8F1C Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3159870062.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6bd0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: daaf98a8e7a3578d3c986c299a75a188bf7a1ea160b88d0716a37eaca04653ec
                                                                                                                                                                      • Instruction ID: 5742d5da635e5f105be8b9644a97254f63d81799d3c1645251c3ff1ff699bb49
                                                                                                                                                                      • Opcode Fuzzy Hash: daaf98a8e7a3578d3c986c299a75a188bf7a1ea160b88d0716a37eaca04653ec
                                                                                                                                                                      • Instruction Fuzzy Hash: 30F059F2D1E184DFF3D187941C502727BA69B8520374008CBA8078F562F5318405C3E3
                                                                                                                                                                      Function 06BD4DE0 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3159870062.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6bd0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: c88e83201dc2d6e9329b2e11736c6503d50a920c4f2dc165602e212e036c7f74
                                                                                                                                                                      • Instruction ID: db016a1fb2a42d1b7cda0a5377109a589a7fb57038260beb52d0f60b670bf87b
                                                                                                                                                                      • Opcode Fuzzy Hash: c88e83201dc2d6e9329b2e11736c6503d50a920c4f2dc165602e212e036c7f74
                                                                                                                                                                      • Instruction Fuzzy Hash: FDF0FF35700259AFDB055F5598458AEBFA6FB8C210714802AFD1683350DB768821DB90
                                                                                                                                                                      Function 009FD76C Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3151659191.00000000009FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009FD000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_9fd000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: a9627df004e81cdda3cce95612743a515902799a3b21d44163291d9542d92d19
                                                                                                                                                                      • Instruction ID: f164c78cb963319cdb89e90f225c6aa7c4db20125f457b1d520bd15cd90aef3f
                                                                                                                                                                      • Opcode Fuzzy Hash: a9627df004e81cdda3cce95612743a515902799a3b21d44163291d9542d92d19
                                                                                                                                                                      • Instruction Fuzzy Hash: 7FF06D72409348AEE7209A16DC84B62FFACEB51734F18C55AEE484F686C3799C44CBB1
                                                                                                                                                                      Function 06BDB8EB Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3159870062.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6bd0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 219ab04dc3cdf4bbf12f9b7f9043e9cf4173c81796db9241dddcf0cca6940933
                                                                                                                                                                      • Instruction ID: 2b0bb1c9e79d25e66eeb1a823cc707b70ea20cc04ea52141f30dfe9f55e65f62
                                                                                                                                                                      • Opcode Fuzzy Hash: 219ab04dc3cdf4bbf12f9b7f9043e9cf4173c81796db9241dddcf0cca6940933
                                                                                                                                                                      • Instruction Fuzzy Hash: 03E09BF050D2CCEFBB9096606C511793BA8576631174206D7E80B8F507F91A0950D3F3
                                                                                                                                                                      Function 06BDBBED Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3159870062.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6bd0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 2d701611d1e59435739aeae7c7ce342e85df717f54b4d9f700d6462d52c44cdb
                                                                                                                                                                      • Instruction ID: 42c021a7d273e93410ea62fc48921f83e57d961d700570b214a4a5943d278f8e
                                                                                                                                                                      • Opcode Fuzzy Hash: 2d701611d1e59435739aeae7c7ce342e85df717f54b4d9f700d6462d52c44cdb
                                                                                                                                                                      • Instruction Fuzzy Hash: A1F01274A00108AFD744EF94D491B6DBBF2FF88310F28C555A4459B359CA31AD82DB91
                                                                                                                                                                      Function 06BDAEEA Relevance: .0, Instructions: 30COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3159870062.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6bd0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 59f911a46f97bfa94281eb002eeadb28f338e2985fdb696abed7ccb542182d74
                                                                                                                                                                      • Instruction ID: e9d850e7e6c242c3ff0391d318b6992ee25dfc73b8d9cc78508ab90d53197803
                                                                                                                                                                      • Opcode Fuzzy Hash: 59f911a46f97bfa94281eb002eeadb28f338e2985fdb696abed7ccb542182d74
                                                                                                                                                                      • Instruction Fuzzy Hash: E9F0B4B0E45345EFDF419BB4CC4A9AEBF72AF4A300F018196E6226B2D1D7345915CB51
                                                                                                                                                                      Function 06BD9E5B Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3159870062.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6bd0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 4d7ce17596841e740d5fe03a0897e12c128f73971420f2871235692bb32bd41b
                                                                                                                                                                      • Instruction ID: c2cfbee0800676eb367ae116f5a3f345804f4bf09782adc1c5a418201c6d339a
                                                                                                                                                                      • Opcode Fuzzy Hash: 4d7ce17596841e740d5fe03a0897e12c128f73971420f2871235692bb32bd41b
                                                                                                                                                                      • Instruction Fuzzy Hash: F0F089B05097825FD7535F78CC506A5BFB1AF42144B2845EBC1D19B293D6254C49C752
                                                                                                                                                                      Function 06BD7D49 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3159870062.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6bd0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: d9d1f5be832de6b1a8fe2700464c2cf64b596187e988765f23f9ec337e9e1e54
                                                                                                                                                                      • Instruction ID: abc7ef0b88349e163da478acbd8cb3e6b701a60d87d5692bd1aed7fc20fce287
                                                                                                                                                                      • Opcode Fuzzy Hash: d9d1f5be832de6b1a8fe2700464c2cf64b596187e988765f23f9ec337e9e1e54
                                                                                                                                                                      • Instruction Fuzzy Hash: 0FF0A7F5CC81549EE390422494142B57E639793306F18D0FED4590F586EB3FC843C7A1
                                                                                                                                                                      Function 06BD2AC7 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3159870062.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6bd0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 17587c6dd83cbaa8a61c9c057ac4713bc1c0b912c7ff51f4cd9d4478190aaf5b
                                                                                                                                                                      • Instruction ID: 662cddc6229ecd5cf8b848317aa9383c4a9d84c8019cd1129dfe0415a138ac5a
                                                                                                                                                                      • Opcode Fuzzy Hash: 17587c6dd83cbaa8a61c9c057ac4713bc1c0b912c7ff51f4cd9d4478190aaf5b
                                                                                                                                                                      • Instruction Fuzzy Hash: 22E06D316007456BC714CE16D8C5A8AFBB9FF88260750C97AE86DC7701DA74D946CB90
                                                                                                                                                                      Function 06BDC0C8 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3159870062.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6bd0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: d46e5b0ff8f87feb7660d699e863a4aa86e6c5bca9cd3cfc18db14d5528f7233
                                                                                                                                                                      • Instruction ID: c207007c6d5aa7ae325f61358a32255f5b64638f31873cf68798eedbeb583e17
                                                                                                                                                                      • Opcode Fuzzy Hash: d46e5b0ff8f87feb7660d699e863a4aa86e6c5bca9cd3cfc18db14d5528f7233
                                                                                                                                                                      • Instruction Fuzzy Hash: 56E0D8F050DA08EFE3A0CA549412BB17FEEEB44381F50C5D6D54B9A604E7715440C6D2
                                                                                                                                                                      Function 06BD9D78 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3159870062.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6bd0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 33f8ffe3e2e3660c86f522e3c4ebeb7b36440fab8d3e318118451255bbbb6524
                                                                                                                                                                      • Instruction ID: 5494ae6b15d9b4fe50578107a9ccbb9a8fbe9dbd42434d1d9f2742d3e82cc7c7
                                                                                                                                                                      • Opcode Fuzzy Hash: 33f8ffe3e2e3660c86f522e3c4ebeb7b36440fab8d3e318118451255bbbb6524
                                                                                                                                                                      • Instruction Fuzzy Hash: 03E086F12CC204DFF7CCBA68541A776B7F79B90304F1094E690474E291FA366810CAD1
                                                                                                                                                                      Function 06BD20C8 Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3159870062.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6bd0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 15805713d0b29b25f2eda2d5f1360b1eb929da1a9bf5066dfa92c6f74f737942
                                                                                                                                                                      • Instruction ID: 6c40fffd3af7b8536b2535ba60a6f3000c70d3d60cc68cb61f6b7f96ac658758
                                                                                                                                                                      • Opcode Fuzzy Hash: 15805713d0b29b25f2eda2d5f1360b1eb929da1a9bf5066dfa92c6f74f737942
                                                                                                                                                                      • Instruction Fuzzy Hash: 56E08630B0A3848FD7026FB158663693BBEAF82204309C0D6E145CF396CE29C909D312
                                                                                                                                                                      Function 06BD8140 Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3159870062.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6bd0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 19b4fc7bdab0826b836a426e09902d99847f97cf4adc77ad2563ff60772256fc
                                                                                                                                                                      • Instruction ID: 8fcc02b842131905ab6bd11120eb3aae42bd57afb0a442c91908cb33f6b3a9e3
                                                                                                                                                                      • Opcode Fuzzy Hash: 19b4fc7bdab0826b836a426e09902d99847f97cf4adc77ad2563ff60772256fc
                                                                                                                                                                      • Instruction Fuzzy Hash: 04E092B45096458FD3419B64C8556267BB1EF46204F04C4C694568F2A7CA30980AC755
                                                                                                                                                                      Function 06BD9D88 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3159870062.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6bd0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 459ef7130ecdd75ee3d5a335ee7053427e68d8f95c4b34049442d03a5d3662b0
                                                                                                                                                                      • Instruction ID: 1ee6542956b2fa77a0413285fd09d11adf7bd3f40fe9606094eccd76c92802fc
                                                                                                                                                                      • Opcode Fuzzy Hash: 459ef7130ecdd75ee3d5a335ee7053427e68d8f95c4b34049442d03a5d3662b0
                                                                                                                                                                      • Instruction Fuzzy Hash: D0D0A7F03CC104DFF7CC3AB8540973971B65B90300B0044E1540B8E295F9268C10C2D6
                                                                                                                                                                      Function 06BD0DE8 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3159870062.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6bd0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: b92e6a6b3fa310d342462c555c895630a26dbdf05d624688895fd282de74d0fc
                                                                                                                                                                      • Instruction ID: 56424fed0eb41e809c424120955a80657e8cbdd628628a4a4e97f7eaf102486e
                                                                                                                                                                      • Opcode Fuzzy Hash: b92e6a6b3fa310d342462c555c895630a26dbdf05d624688895fd282de74d0fc
                                                                                                                                                                      • Instruction Fuzzy Hash: 9AE01A7092060CDECB90FF74D84839A7BE4AB05210F40C17AE49D9E110EA30C2D8DB81
                                                                                                                                                                      Function 06BDB8F8 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3159870062.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6bd0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 6f2c0de7cdee6fb4ccf1b70e14e7e0cbd483b1d8782f7c7224786e07b5904c76
                                                                                                                                                                      • Instruction ID: ebaa884e0fc74ecfa43a2c98d0870c824d65c399de13eebaf42605ff0226027d
                                                                                                                                                                      • Opcode Fuzzy Hash: 6f2c0de7cdee6fb4ccf1b70e14e7e0cbd483b1d8782f7c7224786e07b5904c76
                                                                                                                                                                      • Instruction Fuzzy Hash: 17D012F090C1CCEF6BD09694684123937A4677436174245E6580B8F206F9294900A3F3
                                                                                                                                                                      Function 06BDC092 Relevance: .0, Instructions: 18COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3159870062.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6bd0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: fb04adf1ee87a1f42fb537e8980e85b1a54ca7253d4e523528b55d32dc3b31ae
                                                                                                                                                                      • Instruction ID: 00570a950f7beb06f5f7f4c8ecbafb6624c96131ccc9052e6124a296b2d0ba1e
                                                                                                                                                                      • Opcode Fuzzy Hash: fb04adf1ee87a1f42fb537e8980e85b1a54ca7253d4e523528b55d32dc3b31ae
                                                                                                                                                                      • Instruction Fuzzy Hash: 2BD05EF250C248DFF390496825156393F6E165C390B1444D7C80F9E145FB134850C6DB
                                                                                                                                                                      Function 06BDAE9E Relevance: .0, Instructions: 18COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3159870062.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6bd0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 281a9a9d069fddd0bb92e566cbda8cfa0518456739649e7d9e26e09ab22fa9ec
                                                                                                                                                                      • Instruction ID: ea3d473ca3ad2b0f09417d66d90e8bd0d256b397a226dc6348f3d732eeb11f13
                                                                                                                                                                      • Opcode Fuzzy Hash: 281a9a9d069fddd0bb92e566cbda8cfa0518456739649e7d9e26e09ab22fa9ec
                                                                                                                                                                      • Instruction Fuzzy Hash: C5E046B0D047499FD305CF6488622AABFF1BF82310B2980AA90248A256E7340906CBD2
                                                                                                                                                                      Function 06BD0DF8 Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3159870062.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6bd0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 3579cec3377989f4ef5ce24e6d83d14725488ed723efc0970fa5867975882411
                                                                                                                                                                      • Instruction ID: c7bbae0084fe9978d0b34f7a151689290b1ba1bd93167a777db7d74d7257bef2
                                                                                                                                                                      • Opcode Fuzzy Hash: 3579cec3377989f4ef5ce24e6d83d14725488ed723efc0970fa5867975882411
                                                                                                                                                                      • Instruction Fuzzy Hash: F5E0E271C2060C9ECB80FE78D90859A7BE8AB05220F00C57AE9499A110FA30D2E8DB81
                                                                                                                                                                      Function 06BD20D8 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3159870062.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6bd0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: b88f1f4684b6baf483a6456f46e53e2462d20a114ca51ffd850f54430d833ed3
                                                                                                                                                                      • Instruction ID: b6b2376ed18254922b280fd4be51bc065640013ba9946e84fdcee5e5b4382153
                                                                                                                                                                      • Opcode Fuzzy Hash: b88f1f4684b6baf483a6456f46e53e2462d20a114ca51ffd850f54430d833ed3
                                                                                                                                                                      • Instruction Fuzzy Hash: D1D0A934B003088BA3046FF6A82A3BA33EEEB80605341C0A5A20AC6288DF38DD018321
                                                                                                                                                                      Function 06BDC0A0 Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3159870062.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6bd0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 0a3e252bf38d38ff9ae348ab38c624b5d804785545d8d48c67a69215a2592dc3
                                                                                                                                                                      • Instruction ID: 670229483572cc2340aeca651fd5b6b6b8cc8b1432f0f4a8380c314e03333ca2
                                                                                                                                                                      • Opcode Fuzzy Hash: 0a3e252bf38d38ff9ae348ab38c624b5d804785545d8d48c67a69215a2592dc3
                                                                                                                                                                      • Instruction Fuzzy Hash: 78C012F020C248CFB3C092A81515A383FAF298828031080C7850F8E105FB128841CAEB
                                                                                                                                                                      Function 06BD6681 Relevance: .0, Instructions: 13COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3159870062.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6bd0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 00cd119c044f0cecb312f60dc6ae1eaa6d5e99cefec92b92c52034953e3fc193
                                                                                                                                                                      • Instruction ID: 12f20b52967e34128cb79faaf5c620a71e254284cbca25f83ddde6fa3abed00c
                                                                                                                                                                      • Opcode Fuzzy Hash: 00cd119c044f0cecb312f60dc6ae1eaa6d5e99cefec92b92c52034953e3fc193
                                                                                                                                                                      • Instruction Fuzzy Hash: 4FD0C9B004A3D5AED3621678A8154FB7F79994202570A08CBF8C5AA043D6196550C762
                                                                                                                                                                      Function 06BDC2EA Relevance: .0, Instructions: 11COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3159870062.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6bd0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 3d2a35f9c1e847dee577110a8df7e1206c912ce3376a8d845a9deb2f61b7259e
                                                                                                                                                                      • Instruction ID: f54d42090342d23fbd8be883d5543209839d69cd712a3dc22644c87e033c32c2
                                                                                                                                                                      • Opcode Fuzzy Hash: 3d2a35f9c1e847dee577110a8df7e1206c912ce3376a8d845a9deb2f61b7259e
                                                                                                                                                                      • Instruction Fuzzy Hash: D5C04CF500E14CDAB79015D624151753F6C6404918A1020D6A50B2D900AB115891C4E3
                                                                                                                                                                      Function 06BDE318 Relevance: .0, Instructions: 10COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3159870062.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6bd0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 1f29cd7de94f58f751f7bbc0895bf0d98a7dd4d9976ad366cfaaa1eb696a5d12
                                                                                                                                                                      • Instruction ID: 11825adb1788797ebfa3d7c872bda7f5d4a9c880faea44789d2b8b3d00c0fa6f
                                                                                                                                                                      • Opcode Fuzzy Hash: 1f29cd7de94f58f751f7bbc0895bf0d98a7dd4d9976ad366cfaaa1eb696a5d12
                                                                                                                                                                      • Instruction Fuzzy Hash: 60C08CB1841704C7C3242794F40C328B7A99B8A222F445020E30C430708B745642C725
                                                                                                                                                                      Function 06BDBCB0 Relevance: .0, Instructions: 10COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3159870062.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6bd0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: e4fd9715eb484d6a8d81abd6204a09ca6e7eac3a61e49eacd25145e835db34cd
                                                                                                                                                                      • Instruction ID: eba6209736923fca2d79725cada97632b035d320e648d27b1627c5ecb38489a9
                                                                                                                                                                      • Opcode Fuzzy Hash: e4fd9715eb484d6a8d81abd6204a09ca6e7eac3a61e49eacd25145e835db34cd
                                                                                                                                                                      • Instruction Fuzzy Hash: DCD012B5408190DFC300DB51DD99C4D3FF0BE1D30030509C9D4059B223E334A411CB84
                                                                                                                                                                      Function 06BDC2F0 Relevance: .0, Instructions: 9COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3159870062.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6bd0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: f4af56bf65fa1c4dd0f940a0cd7ec2ac445c66f287d21a4152aab073e1c36757
                                                                                                                                                                      • Instruction ID: 6414c4a750fb63fc1019caf7d11031fe4fba494dc81e67d50585ca8203bd4846
                                                                                                                                                                      • Opcode Fuzzy Hash: f4af56bf65fa1c4dd0f940a0cd7ec2ac445c66f287d21a4152aab073e1c36757
                                                                                                                                                                      • Instruction Fuzzy Hash: 22B012F400F24CCE77C025D724291353F2C3404A0C70030D2A60F3C800FB019452C4D3
                                                                                                                                                                      Function 06BDB9C1 Relevance: .0, Instructions: 8COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3159870062.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6bd0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 4b8384cd794042b53236635d2a0b2650e025a78726a0daae842d09306fdd0d54
                                                                                                                                                                      • Instruction ID: 960d8364ca4953e9d033d3ca7c57456401a5cc3565618fe0e729609d291734da
                                                                                                                                                                      • Opcode Fuzzy Hash: 4b8384cd794042b53236635d2a0b2650e025a78726a0daae842d09306fdd0d54
                                                                                                                                                                      • Instruction Fuzzy Hash: 05C08CF0B50219AFEB408A01DF43D6C33627B04B00F010050A2026B194E26046008680
                                                                                                                                                                      Function 06BD6690 Relevance: .0, Instructions: 7COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3159870062.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6bd0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: f606e5f459f8f9f7db0158c0cd84a2253e090e8f676f0d75091e76191637bded
                                                                                                                                                                      • Instruction ID: b84571106509b9c2e393bf0b6ae789959b79dc2f16cc477059f3bf87ef4c6c05
                                                                                                                                                                      • Opcode Fuzzy Hash: f606e5f459f8f9f7db0158c0cd84a2253e090e8f676f0d75091e76191637bded
                                                                                                                                                                      • Instruction Fuzzy Hash: 51A011F000820CCE23802288A0080BE3B2CA000228B000082EA0A0E002BA2AB82002C8

                                                                                                                                                                      Non-executed Functions

                                                                                                                                                                      Function 089C6D08 Relevance: 5.5, Strings: 4, Instructions: 487COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3161442132.00000000089C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089C0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_89c0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: 4'q$4'q$4'q$$q
                                                                                                                                                                      • API String ID: 0-97408120
                                                                                                                                                                      • Opcode ID: d8476505ff1ca1904659d7539d2a0c8454a3c0803d43e35510678ba6f14a3f8d
                                                                                                                                                                      • Instruction ID: 3d38bdda5d8e832cfe572ab1240d6a1735f365023080768242eac7226c2d4a57
                                                                                                                                                                      • Opcode Fuzzy Hash: d8476505ff1ca1904659d7539d2a0c8454a3c0803d43e35510678ba6f14a3f8d
                                                                                                                                                                      • Instruction Fuzzy Hash: 2BF1B031B00211DFDB29AFBCC494A2D77A6BF85746B19846DE406DB361DB32DC42CB92
                                                                                                                                                                      Function 089C1230 Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3161442132.00000000089C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089C0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_89c0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: d
                                                                                                                                                                      • API String ID: 0-2564639436
                                                                                                                                                                      • Opcode ID: 48da564e179f2c64e08ce76d2bfbfcf31906ddf8cd097e284ba6ea290af9d413
                                                                                                                                                                      • Instruction ID: 87a1230fc0eb2b490630e0e90427079ab0f6ae9e13a99ea15a7c5ecfc4f30bb1
                                                                                                                                                                      • Opcode Fuzzy Hash: 48da564e179f2c64e08ce76d2bfbfcf31906ddf8cd097e284ba6ea290af9d413
                                                                                                                                                                      • Instruction Fuzzy Hash: B651D275E00228CFDB28DF66CC007EEBBB2BB89301F44C1AAD419A7255DB355A86CF45
                                                                                                                                                                      Function 089C11F8 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3161442132.00000000089C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089C0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_89c0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: d
                                                                                                                                                                      • API String ID: 0-2564639436
                                                                                                                                                                      • Opcode ID: d6b8cacb6c7a5d23506dc6df3b6ede85c81a0c44c2c6b90678544c5c2635c4e8
                                                                                                                                                                      • Instruction ID: c93a5c31d8156c370d9727204d552a4f9bbb142e126ff2166c89a69c17460150
                                                                                                                                                                      • Opcode Fuzzy Hash: d6b8cacb6c7a5d23506dc6df3b6ede85c81a0c44c2c6b90678544c5c2635c4e8
                                                                                                                                                                      • Instruction Fuzzy Hash: 3E51D375E00228DFDB24DF66CC007EEBBB6AB89301F44C1EAD418A7255DB355A82CF45
                                                                                                                                                                      Function 06FC4FF8 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3160626778.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6fc0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 28e5bee92b1a1462cbbda37c06cc8ecddd90a34e16e7b6bfb6c6de165957abd9
                                                                                                                                                                      • Instruction ID: fa9935c24c23c204e923f31877987043ab3113bcca98c519ba078d2f748d41b6
                                                                                                                                                                      • Opcode Fuzzy Hash: 28e5bee92b1a1462cbbda37c06cc8ecddd90a34e16e7b6bfb6c6de165957abd9
                                                                                                                                                                      • Instruction Fuzzy Hash: 8AE11C74E002198FDB54DFA8C580AAEFBF2FF89315F248169D414AB35AD731A941CFA1
                                                                                                                                                                      Function 06FC4BC0 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3160626778.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6fc0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: a7cb4bf767a557348352a3e6fa7125672464aaf25a879967b07911ddc1d16428
                                                                                                                                                                      • Instruction ID: 201a97e37c5bccf2cb0e2dbb9edec116e997cc298189dde01542c4dfe1b81adc
                                                                                                                                                                      • Opcode Fuzzy Hash: a7cb4bf767a557348352a3e6fa7125672464aaf25a879967b07911ddc1d16428
                                                                                                                                                                      • Instruction Fuzzy Hash: F2E11A74E002198FDB54DFA8C690AAEFBF2FF89314F248169D414AB35AD731A941CF61
                                                                                                                                                                      Function 06FC34E8 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3160626778.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6fc0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 9c61cb9a12f99575c49f2bfc8662e16a6fb12c3094e47e7aafc701bd34a95498
                                                                                                                                                                      • Instruction ID: a04f5b6546f8649cc02c68b37f57fd1e237f13820bd4535149c9c6ee124276a5
                                                                                                                                                                      • Opcode Fuzzy Hash: 9c61cb9a12f99575c49f2bfc8662e16a6fb12c3094e47e7aafc701bd34a95498
                                                                                                                                                                      • Instruction Fuzzy Hash: F2E13B75E042198FDB54DFA8C580AAEFBF2BF89304F24C169D414A735ADB31A941CFA1
                                                                                                                                                                      Function 06FC30B0 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3160626778.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6fc0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 2ca11564ad44207ce4cf1b4e51ce12089e75dce53e8baba9bfc5915e7d96d2c7
                                                                                                                                                                      • Instruction ID: ef72a7bcca34ca426c6a73f98022d9fdf954c380bfc485ee4972290cae148392
                                                                                                                                                                      • Opcode Fuzzy Hash: 2ca11564ad44207ce4cf1b4e51ce12089e75dce53e8baba9bfc5915e7d96d2c7
                                                                                                                                                                      • Instruction Fuzzy Hash: 96E11B75E002198FDB54DFA8C580AAEFBF2BF89314F24C169D414AB359DB31A941CFA1
                                                                                                                                                                      Function 06FC3920 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3160626778.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_6fc0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: a5c982d1654581fa9dfa257a65d9d07dac6b5426c3cd9a0714b3a1a4261a98b7
                                                                                                                                                                      • Instruction ID: 903c2401c234f59b43c751abc5b24e52aa8874c1b06a2ea5f58f3f5dbb04f082
                                                                                                                                                                      • Opcode Fuzzy Hash: a5c982d1654581fa9dfa257a65d9d07dac6b5426c3cd9a0714b3a1a4261a98b7
                                                                                                                                                                      • Instruction Fuzzy Hash: 9EE10975E002198FDB54DFA8C580AAEFBF2BF89314F24C169D414AB35AD731A942CF61
                                                                                                                                                                      Function 057767A2 Relevance: .3, Instructions: 268COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3158593886.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5770000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: fabc0c3bdae6a4dc58b7f16e0a1258648a76af8145ac932e022d2389d91644e1
                                                                                                                                                                      • Instruction ID: ef8e10dad43bd25c263ca1a8c7c9034bf7673e75f566845667550ec203d45ae9
                                                                                                                                                                      • Opcode Fuzzy Hash: fabc0c3bdae6a4dc58b7f16e0a1258648a76af8145ac932e022d2389d91644e1
                                                                                                                                                                      • Instruction Fuzzy Hash: 66D1D935D2075A8ADB10EFA4D990699F7B1FF95300F10DB9AE1493B214EFB0AAC4CB51
                                                                                                                                                                      Function 057767B0 Relevance: .3, Instructions: 264COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3158593886.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5770000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 0758b9bca1fb5ea243f97df8f6f2c899244e3d4f6492619c74226775dbe87752
                                                                                                                                                                      • Instruction ID: a78e70b83fd155f1b9a55ef8e0e03a43c9e6bbcaafabc0c08c5a8304f94460bf
                                                                                                                                                                      • Opcode Fuzzy Hash: 0758b9bca1fb5ea243f97df8f6f2c899244e3d4f6492619c74226775dbe87752
                                                                                                                                                                      • Instruction Fuzzy Hash: C0D1C835D2075A8ADB10EF64D990A99F7B1FF95300F10DB9AE1493B214EFB0AAC4CB51
                                                                                                                                                                      Function 00C0E124 Relevance: .3, Instructions: 264COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3152033288.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_c00000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: cb0bdc6f57d40ac8403224ca1e4eb8957c0d11a342c4689066e74e89990baa8e
                                                                                                                                                                      • Instruction ID: 39b4b3361664a97436212af9feb0696d06951159f6a265bece9d33ee0c3fbe20
                                                                                                                                                                      • Opcode Fuzzy Hash: cb0bdc6f57d40ac8403224ca1e4eb8957c0d11a342c4689066e74e89990baa8e
                                                                                                                                                                      • Instruction Fuzzy Hash: 4DA15F32E00215CFCF19DFB5D84059EB7B2FF85300B15857AE815AB2A6DB31EA56DB80

                                                                                                                                                                      Execution Graph

                                                                                                                                                                      Execution Coverage:7.1%
                                                                                                                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                      Signature Coverage:0%
                                                                                                                                                                      Total number of Nodes:33
                                                                                                                                                                      Total number of Limit Nodes:5
                                                                                                                                                                      execution_graph 16004 2fd4668 16005 2fd4684 16004->16005 16006 2fd4696 16005->16006 16008 2fd47a0 16005->16008 16009 2fd47c5 16008->16009 16013 2fd48a1 16009->16013 16017 2fd48b0 16009->16017 16015 2fd48b0 16013->16015 16014 2fd49b4 16014->16014 16015->16014 16021 2fd4248 16015->16021 16018 2fd48d7 16017->16018 16019 2fd49b4 16018->16019 16020 2fd4248 CreateActCtxA 16018->16020 16020->16019 16022 2fd5940 CreateActCtxA 16021->16022 16024 2fd5a03 16022->16024 16025 2fdd0b8 16026 2fdd0fe GetCurrentProcess 16025->16026 16028 2fdd150 GetCurrentThread 16026->16028 16030 2fdd149 16026->16030 16029 2fdd18d GetCurrentProcess 16028->16029 16031 2fdd186 16028->16031 16032 2fdd1c3 16029->16032 16030->16028 16031->16029 16033 2fdd1eb GetCurrentThreadId 16032->16033 16034 2fdd21c 16033->16034 16035 2fdad38 16038 2fdae30 16035->16038 16036 2fdad47 16039 2fdae64 16038->16039 16041 2fdae41 16038->16041 16039->16036 16040 2fdb068 GetModuleHandleW 16042 2fdb095 16040->16042 16041->16039 16041->16040 16042->16036 16043 2fdd300 DuplicateHandle 16044 2fdd396 16043->16044

                                                                                                                                                                      Executed Functions

                                                                                                                                                                      Function 02FDD0A8 Relevance: 6.1, APIs: 4, Instructions: 131threadCOMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 294 2fdd0a8-2fdd147 GetCurrentProcess 298 2fdd149-2fdd14f 294->298 299 2fdd150-2fdd184 GetCurrentThread 294->299 298->299 300 2fdd18d-2fdd1c1 GetCurrentProcess 299->300 301 2fdd186-2fdd18c 299->301 302 2fdd1ca-2fdd1e5 call 2fdd289 300->302 303 2fdd1c3-2fdd1c9 300->303 301->300 307 2fdd1eb-2fdd21a GetCurrentThreadId 302->307 303->302 308 2fdd21c-2fdd222 307->308 309 2fdd223-2fdd285 307->309 308->309
                                                                                                                                                                      APIs
                                                                                                                                                                      • GetCurrentProcess.KERNEL32 ref: 02FDD136
                                                                                                                                                                      • GetCurrentThread.KERNEL32 ref: 02FDD173
                                                                                                                                                                      • GetCurrentProcess.KERNEL32 ref: 02FDD1B0
                                                                                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 02FDD209
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000004.00000002.3152012721.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_4_2_2fd0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Current$ProcessThread
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2063062207-0
                                                                                                                                                                      • Opcode ID: 5f28f78999b06216422404a7472d3eeee5ed6823a22943e46de9765d9c2dbaa4
                                                                                                                                                                      • Instruction ID: 91108800d79f11c1b582011164f2ba1c2e224a64d16a1d756cc0ebe40a158def
                                                                                                                                                                      • Opcode Fuzzy Hash: 5f28f78999b06216422404a7472d3eeee5ed6823a22943e46de9765d9c2dbaa4
                                                                                                                                                                      • Instruction Fuzzy Hash: 235165B09002498FEB54CFA9D9487AEBBF1FF48304F24855AE119AB260DB749884CB65
                                                                                                                                                                      Function 02FDD0B8 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 316 2fdd0b8-2fdd147 GetCurrentProcess 320 2fdd149-2fdd14f 316->320 321 2fdd150-2fdd184 GetCurrentThread 316->321 320->321 322 2fdd18d-2fdd1c1 GetCurrentProcess 321->322 323 2fdd186-2fdd18c 321->323 324 2fdd1ca-2fdd1e5 call 2fdd289 322->324 325 2fdd1c3-2fdd1c9 322->325 323->322 329 2fdd1eb-2fdd21a GetCurrentThreadId 324->329 325->324 330 2fdd21c-2fdd222 329->330 331 2fdd223-2fdd285 329->331 330->331
                                                                                                                                                                      APIs
                                                                                                                                                                      • GetCurrentProcess.KERNEL32 ref: 02FDD136
                                                                                                                                                                      • GetCurrentThread.KERNEL32 ref: 02FDD173
                                                                                                                                                                      • GetCurrentProcess.KERNEL32 ref: 02FDD1B0
                                                                                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 02FDD209
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000004.00000002.3152012721.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_4_2_2fd0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Current$ProcessThread
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2063062207-0
                                                                                                                                                                      • Opcode ID: 7f35705421074b6d56d920cf62fcbea1cebd545615bcb8b20613540847209189
                                                                                                                                                                      • Instruction ID: ce9e731b935d622aed359e71e0e899589b77c792915ff03ff2f87a8bc6e26896
                                                                                                                                                                      • Opcode Fuzzy Hash: 7f35705421074b6d56d920cf62fcbea1cebd545615bcb8b20613540847209189
                                                                                                                                                                      • Instruction Fuzzy Hash: E75166B09003498FEB14CFAAD548BEEBBF1FF48304F248159E519A7360CB74A884CB65
                                                                                                                                                                      Function 02FDAE30 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 360 2fdae30-2fdae3f 361 2fdae6b-2fdae6f 360->361 362 2fdae41-2fdae4e call 2fd9838 360->362 364 2fdae71-2fdae7b 361->364 365 2fdae83-2fdaec4 361->365 367 2fdae64 362->367 368 2fdae50 362->368 364->365 371 2fdaec6-2fdaece 365->371 372 2fdaed1-2fdaedf 365->372 367->361 418 2fdae56 call 2fdb0c8 368->418 419 2fdae56 call 2fdb0b8 368->419 371->372 373 2fdaee1-2fdaee6 372->373 374 2fdaf03-2fdaf05 372->374 376 2fdaee8-2fdaeef call 2fda814 373->376 377 2fdaef1 373->377 379 2fdaf08-2fdaf0f 374->379 375 2fdae5c-2fdae5e 375->367 378 2fdafa0-2fdafb7 375->378 381 2fdaef3-2fdaf01 376->381 377->381 391 2fdafb9-2fdb018 378->391 382 2fdaf1c-2fdaf23 379->382 383 2fdaf11-2fdaf19 379->383 381->379 385 2fdaf25-2fdaf2d 382->385 386 2fdaf30-2fdaf39 call 2fda824 382->386 383->382 385->386 392 2fdaf3b-2fdaf43 386->392 393 2fdaf46-2fdaf4b 386->393 411 2fdb01a-2fdb060 391->411 392->393 394 2fdaf4d-2fdaf54 393->394 395 2fdaf69-2fdaf76 393->395 394->395 396 2fdaf56-2fdaf66 call 2fda834 call 2fda844 394->396 402 2fdaf99-2fdaf9f 395->402 403 2fdaf78-2fdaf96 395->403 396->395 403->402 413 2fdb068-2fdb093 GetModuleHandleW 411->413 414 2fdb062-2fdb065 411->414 415 2fdb09c-2fdb0b0 413->415 416 2fdb095-2fdb09b 413->416 414->413 416->415 418->375 419->375
                                                                                                                                                                      APIs
                                                                                                                                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 02FDB086
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000004.00000002.3152012721.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_4_2_2fd0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: HandleModule
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 4139908857-0
                                                                                                                                                                      • Opcode ID: 6d503aaef2bed35af39b69bc7567b615f6dfdec073c75c78f420c43f0f163fd2
                                                                                                                                                                      • Instruction ID: 40723a6631c193af2969d9ed9b47a31ffcf1f715ed5b7322ea0ceb5b35d67bf0
                                                                                                                                                                      • Opcode Fuzzy Hash: 6d503aaef2bed35af39b69bc7567b615f6dfdec073c75c78f420c43f0f163fd2
                                                                                                                                                                      • Instruction Fuzzy Hash: 02715770A00B058FD724DF2AD44579ABBF2FF88244F088A2ED58AD7A50DB74E845CB95
                                                                                                                                                                      Function 02FD4248 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 420 2fd4248-2fd5a01 CreateActCtxA 423 2fd5a0a-2fd5a64 420->423 424 2fd5a03-2fd5a09 420->424 431 2fd5a66-2fd5a69 423->431 432 2fd5a73-2fd5a77 423->432 424->423 431->432 433 2fd5a79-2fd5a85 432->433 434 2fd5a88-2fd5ab8 432->434 433->434 438 2fd5a6a 434->438 439 2fd5aba-2fd5b3c 434->439 438->432
                                                                                                                                                                      APIs
                                                                                                                                                                      • CreateActCtxA.KERNEL32(?), ref: 02FD59F1
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000004.00000002.3152012721.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_4_2_2fd0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Create
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2289755597-0
                                                                                                                                                                      • Opcode ID: 1855a4e2fce16b7dc6b0d4aacd109c141fd3fc9a57a79395828793fee26b5dff
                                                                                                                                                                      • Instruction ID: a9c2a5ad10fbc493472a1eb211f49f0e0e6361ae3c11ffc3b177797f7466f09f
                                                                                                                                                                      • Opcode Fuzzy Hash: 1855a4e2fce16b7dc6b0d4aacd109c141fd3fc9a57a79395828793fee26b5dff
                                                                                                                                                                      • Instruction Fuzzy Hash: 6C41C170D00728CBEB24DFA9C884BDDBBB6FF49304F64815AD508AB251DBB56949CF90
                                                                                                                                                                      Function 02FD5935 Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 441 2fd5935-2fd593c 442 2fd5944-2fd5a01 CreateActCtxA 441->442 444 2fd5a0a-2fd5a64 442->444 445 2fd5a03-2fd5a09 442->445 452 2fd5a66-2fd5a69 444->452 453 2fd5a73-2fd5a77 444->453 445->444 452->453 454 2fd5a79-2fd5a85 453->454 455 2fd5a88-2fd5ab8 453->455 454->455 459 2fd5a6a 455->459 460 2fd5aba-2fd5b3c 455->460 459->453
                                                                                                                                                                      APIs
                                                                                                                                                                      • CreateActCtxA.KERNEL32(?), ref: 02FD59F1
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000004.00000002.3152012721.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_4_2_2fd0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Create
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2289755597-0
                                                                                                                                                                      • Opcode ID: b6aceecd1422701bce3c9740057787c729c4f346f3ee53d7091805048ad96e56
                                                                                                                                                                      • Instruction ID: e3440bfbc9904fa7c8770c896895c266f5ea23863ed916149aac3fece24ec308
                                                                                                                                                                      • Opcode Fuzzy Hash: b6aceecd1422701bce3c9740057787c729c4f346f3ee53d7091805048ad96e56
                                                                                                                                                                      • Instruction Fuzzy Hash: 0A41C171D00728CBEB24DFA9C884BCDBBB5BF49304F24815AD408AB251DB75594ACF50
                                                                                                                                                                      Function 02FDD2F9 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 462 2fdd2f9-2fdd394 DuplicateHandle 463 2fdd39d-2fdd3ba 462->463 464 2fdd396-2fdd39c 462->464 464->463
                                                                                                                                                                      APIs
                                                                                                                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02FDD387
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000004.00000002.3152012721.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_4_2_2fd0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: DuplicateHandle
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3793708945-0
                                                                                                                                                                      • Opcode ID: ec5d1b56bc26cb865780261cad8b90991f425c41b3c4f06b17151a6fcd90ceee
                                                                                                                                                                      • Instruction ID: 1e975f40d1cddbd101b74b491f63ad5ac99fc0cf9534c5d913011ea63c70e403
                                                                                                                                                                      • Opcode Fuzzy Hash: ec5d1b56bc26cb865780261cad8b90991f425c41b3c4f06b17151a6fcd90ceee
                                                                                                                                                                      • Instruction Fuzzy Hash: EB21E2B6D00208DFDB10CFAAD985AEEBBF5FB48314F14841AE918A7310C375A954CF64
                                                                                                                                                                      Function 02FDD300 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 467 2fdd300-2fdd394 DuplicateHandle 468 2fdd39d-2fdd3ba 467->468 469 2fdd396-2fdd39c 467->469 469->468
                                                                                                                                                                      APIs
                                                                                                                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02FDD387
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000004.00000002.3152012721.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_4_2_2fd0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: DuplicateHandle
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3793708945-0
                                                                                                                                                                      • Opcode ID: 78dc144afecdd1b01fbb8bdbf3c14aa80a14921063f0ca47c65d0865aad2ebd3
                                                                                                                                                                      • Instruction ID: 7c67f5169fe7851b8822dd69f8a5104a456c4e98e4b2c62ba343a2120d1eb649
                                                                                                                                                                      • Opcode Fuzzy Hash: 78dc144afecdd1b01fbb8bdbf3c14aa80a14921063f0ca47c65d0865aad2ebd3
                                                                                                                                                                      • Instruction Fuzzy Hash: 0A21E0B59002489FDB10CFAAD984ADEBBF9EB48314F14801AE918A3210C375A950CFA4
                                                                                                                                                                      Function 02FDB020 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 472 2fdb020-2fdb060 473 2fdb068-2fdb093 GetModuleHandleW 472->473 474 2fdb062-2fdb065 472->474 475 2fdb09c-2fdb0b0 473->475 476 2fdb095-2fdb09b 473->476 474->473 476->475
                                                                                                                                                                      APIs
                                                                                                                                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 02FDB086
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000004.00000002.3152012721.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_4_2_2fd0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: HandleModule
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 4139908857-0
                                                                                                                                                                      • Opcode ID: b507ef656c1985abb7b4b96aa542cd0a2abbdd5e66418579767f6f56bdf6802f
                                                                                                                                                                      • Instruction ID: a3b4a789a32d727186079e3ceae32909bc5314a16d87dd97db5cbf9a948b60fe
                                                                                                                                                                      • Opcode Fuzzy Hash: b507ef656c1985abb7b4b96aa542cd0a2abbdd5e66418579767f6f56bdf6802f
                                                                                                                                                                      • Instruction Fuzzy Hash: 63110FB6C003498FDB20CF9AC448ADEFBF5EB88718F14841AD928A7210C375A545CFA1
                                                                                                                                                                      Function 02E4D01C Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000004.00000002.3151743292.0000000002E4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E4D000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_4_2_2e4d000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 9ea86d259474a02759e75468b3e961bc54e876c3cef758dc59a6ac34617afbe8
                                                                                                                                                                      • Instruction ID: dacb280dcd5efe281d789e1f96e80a1a90e12f4176e2b1700851d23e10ff43a9
                                                                                                                                                                      • Opcode Fuzzy Hash: 9ea86d259474a02759e75468b3e961bc54e876c3cef758dc59a6ac34617afbe8
                                                                                                                                                                      • Instruction Fuzzy Hash: 4A210771544340DFDB14DF10E9C4B16BB66FB84318F20C56DD80A4B256CB76E847CA61
                                                                                                                                                                      Function 02E4D005 Relevance: .1, Instructions: 62COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000004.00000002.3151743292.0000000002E4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E4D000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_4_2_2e4d000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 58202293e46e0269572cdd5cbaf7fb6c568715721550ec145f8cbbc28397e7da
                                                                                                                                                                      • Instruction ID: 87b69b42e2260c0f5f16ba9e79b3a63d76462d136805f24db49f3db3c4144f21
                                                                                                                                                                      • Opcode Fuzzy Hash: 58202293e46e0269572cdd5cbaf7fb6c568715721550ec145f8cbbc28397e7da
                                                                                                                                                                      • Instruction Fuzzy Hash: 222195755493C08FCB06CF20D994715BF71EB46218F28C5EAD8498F2A7C33A980BCB62
                                                                                                                                                                      Function 0157D5F3 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000004.00000002.3151641684.000000000157D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157D000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_4_2_157d000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: add2a2f1c84bc6bd48a7f8a537ab0ddfb08bc52327ce37c23bb271a72d1b4678
                                                                                                                                                                      • Instruction ID: da322879357f1f043b5adfa171002baa5dc9b0c9bbc80bb57a279c90097f2eee
                                                                                                                                                                      • Opcode Fuzzy Hash: add2a2f1c84bc6bd48a7f8a537ab0ddfb08bc52327ce37c23bb271a72d1b4678
                                                                                                                                                                      • Instruction Fuzzy Hash: 0AF03776200600AF97208F0AD885C27FBB9FFD4730719C55AE84A4B612C631E841CAA0
                                                                                                                                                                      Function 0157D5E4 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000004.00000002.3151641684.000000000157D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157D000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_4_2_157d000_C5Zr4LSzmp.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: ed81c5f9f5e31d686bb9c2658a7aa700b359cd648f81ec708fc4281daeabd10d
                                                                                                                                                                      • Instruction ID: 6b08658bd982adc0adcadd64e4b1d1dcdd27f42ebfa976354e36b1cb8881c455
                                                                                                                                                                      • Opcode Fuzzy Hash: ed81c5f9f5e31d686bb9c2658a7aa700b359cd648f81ec708fc4281daeabd10d
                                                                                                                                                                      • Instruction Fuzzy Hash: 50F03775104680AFD7258F06C985C22BFB9FF8A7607198489E89A4B262C631FC42CB60